what is the env variable OPENSSL_CONF pointing to? if not defined then is the change you made in the "/usr/local/ssl/openssl.cnf"???
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Charles Harmon Sent: Friday, January 16, 2004 11:47 AM To: [EMAIL PROTECTED] Subject: new CA & crlDistributionPoints Hello all, I am desperately trying to get crlDistributionPoints stamped to my (server/client) certificates. For some reason it does not get added to any certificate I generate. I have read through the openssl.txt file and it just says to add the following to the x509_extensions section: crlDistributionPoints = URI:http://hostname.domain.com/mycrl.crl Well, no luck. I have been searching through the archives for this list and basically it says the same thing. In a last ditch I went and bought the O'Reilly openSSL book today which proved to be just as helpful. I don't even see a reference to crlDistributionPoints in the book! As this is my first attempt in setting up a CA I'm sure I am missing something stupid. If anyone has a free moment to help me out it would be greatly appreciated. I have included my openssl.cnf file for review. Since this is my first attempt any advice or recommendations would be useful. Thanks! Charles # openssl.cnf # This definition stops the following lines choking if HOME isn't # defined. HOME = . RANDFILE = $ENV::HOME/.rnd oid_section = new_oids [ new_oids ] ######################################################################## ### [ ca ] default_ca = myCA # The default ca section ######################################################################## ### [ myCA ] dir = /usr/local/ssl/myCA certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/private/cacert.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/private/cakey.pem RANDFILE = $dir/private/.rand x509_extensions = usr_cert default_days = 365 default_crl_days = 30 default_md = md5 preserve = no policy = policy_match ######################################################################## ### [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional ######################################################################## ### [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional ######################################################################## ### [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca string_mask = nombstr ######################################################################## ### [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 40 ######################################################################## ### [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name ######################################################################## ### [ usr_cert ] # These extensions are added when 'ca' signs a request. basicConstraints = critical, CA:false keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = clientAuth, emailProtection subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always subjectAltName = email:copy issuerAltName = issuer:copy crlDistributionPoints = URI:http://hostname.domain.com/mycrl.crl nsCertType = client, email nsComment = "This certificate was issued for testing only!" ######################################################################## ### [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment ######################################################################## ### [ v3_ca ] # Extensions for a typical CA subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true crlDistributionPoints = URI:http://hostname.domain.com/mycrl.crl ######################################################################## ### [ crl_ext ] # CRL extensions. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. issuerAltName = issuer:copy authorityKeyIdentifier = keyid:always,issuer:always ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
