Thank you for your quick answer, which is helpful but not exactly what I had in mind ;) You couldn’t know this because I forgot to mention my aims. I’m trying to realise the following scenario: The CRL shall be kept on the server of the SSL-website and not within the servers of the CA in order to reduce the huge amount of traffic which goes hand in hand with the periodic CRL-update. The CRL has to be created and signed by the CA and then send to server of the SSL-website where the CRL is stored and can be accessed by the rest of the SSL-world. As you can see, an environment variable goes in the right direction but having a variable for each client of the CA is not yet ideal. I know that this scenario is probably not realisable today but that should not care us in the meantime.
I’m anxious to read comments about “my” scenario or probably a solution for my problem. best regards domi Patrick Patterson-3 wrote: > > On Wednesday 31 January 2007 06:45, domi wrote: >> Hello, >> >> I searched and tried a lot but wasn't able to solve the following >> problem: >> >> I have built my own little CA (with the help of the OpenSSL book of >> O'Reilly). I can create certificate requests and issue certificate from >> them. Now I want to do the following: >> >> The certificate request should include the crlDistributionPoints. (I'm >> able >> to enter the DP under certificate_extensions) Thats no problem so far. >> But now should the CA create the certificate without knowing the CRL DP >> in >> the forefront. The CA should take CRL DP entered by the user and put it >> into the certificate. Unfortunately I wasn't able to manage this. >> I tried a lot of things like crlDistributionPoints=supplied for example >> but >> nothing worked. >> >> Summary: The certificate shall include the crlDistributionPoints without >> being written static into the openssl.cnf of the CA. >> > I'm not sure how this would be doable (I suppose "copy extensions" might > be > what you want), however, I also have no idea why you would ever want a > subject to be defining the distribution point for the CA. If you are > trying > to roll over the CRLdp (for instance, if you are trying to have only a > given > number of certificates in a particular CRL), you might want to have an > environment variable ($ENV::CRLNUMBER), and have that appended to the URI > in > the certificateDistributionPoint extension. i.e: > > export CRLNUMBER=5 > openssl ca -in certreq.pem -out cert.pem > > (where there is a usr_ext section in your stock openssl.cnf with the line: > > crlDistributionPoints = > URI:http://www.example.com/someurl/$ENV::CRLNUMBER.crl > > However, with OpenSSL, this is probably a bit tricky, since you'll have to > keep a mapping for the certificate, and parse that before you do the > revoke > so that you can do the right thing. > > > > -- > Patrick Patterson > President and Chief PKI Architect > Carillon Information Security Inc. > http://www.carillon.ca > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > -- View this message in context: http://www.nabble.com/crlDistributionPoints-in-a-certificate-request-tf3148251.html#a8744148 Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
