Hi all, I'm setting up a CA using OpenSSL. I would like it to have a CDP (CRL Distribution Point) which publishes the same CRL on two locations (different transports -- equal content).
For that purpose I'd like to name the CDP using general name that would be included in both: CDP extension of the issued certificates (both, end-entity and subordinate authorities) and in IDP extension of the CRL as well. I would like to do that because of delta CRLs that I plan to use (freshest aka delta, and full CRL need to have the same name, and for that purpose I decided the best would be to use dirName for naming and URI just for reference to transport mechanism and file location). I'm using debian package of Version: 0.9.8g-3 (libssl0.9.8), and version string reported is: OpenSSL 0.9.8g 19 Oct 2007. Arch is i386. I have read the http://www.openssl.org/docs/apps/x509v3_config.html where (apart from that the document lacks any date, author, revision) it states that it could be accomplished using something like: crlDistributionPoints=crldp1_section [crldp1_section] fullname=URI:http://myhost.com/myca.crl CRLissuer=dirName:issuer_sect reasons=keyCompromise, CACompromise [issuer_sect] C=UK O=Organisation CN=Some Name Well, for me, it just did not work. The same goes for IDP extension. Other problem that I found is that even the docs are not coherent with the way how to include that section: crlDistributionPoints=crldp1_section issuingDistributionPoint=critical, @idp_section Notice: no monkey in front of crldp1_section. (?!) What worked for me is THIS: [ G1CA_crl_ext_full ] authorityKeyIdentifier = keyid:always,issuer:always issuerAltName = email:[EMAIL PROTECTED],URI:http://www.girica.example.com/ authorityInfoAccess = OCSP;URI:http://ocsp.girica.example.com/ocsp/g1ca.ocsp,\ caIssuers;URI:http://aia.girica.example.com/aia/g1ca.aia crlNumber = ASN1:INT:$ENV::CRL_SERIAL freshestCRL = ASN1:SEQUENCE:${CA}_fresh_crl issuingDistributionPoint = ASN1:SEQUENCE:${CA}_full_crl_idp [ G1CA_fresh_crl ] g1_dp.1 = SEQ:g1_dp10 g1_dp.2 = SEQ:g1_dp20 [ g1_dp10 ] g1_dp = IMP:0C,SEQ:g1_dp100 [ g1_dp20 ] g1_dp = IMP:0C,SEQ:g1_dp200 [ g1_dp100 ] g1_dp = IMP:0C,SEQUENCE:g1_dp100u [ g1_dp100u ] g1_dp = IMP:6C,IA5STRING:http://crl.girica.example.com/crl/g1ca-delta.crl [ g1_dp200 ] g1_dp = IMP:0C,SEQUENCE:g1_dp200u [ g1_dp200u ] g1_dp = IMP:6C,IA5STRING:ldap://ldap.girica.example.com/c=HR,o=GIRICA,ou=G1CA,cn=CRL?certificateRevocationList;binary [ G1CA_full_crl_idp ] dpName.1 = IMP:0C,SEQ:crl_dp_url #onlyUserCerts = IMP:1C,BOOLEAN:TRUE #onlyCACerts = IMP:2C,BOOLEAN:FALSE #indirectCRL = IMP:4C,BOOLEAN:FALSE [ crl_dp_url ] dp = IMP:0C,SEQUENCE:crl_dp_url_u [ crl_dp_url_u ] dp.4 = IMP:4C,SEQUENCE:crl_dp_dirname dp.6 = IMP:6C,IA5STRING:ldap://ldap.girica.example.com/c=HR,o=GIRICA,\ ou=G1CA,cn=CRL?certificateRevocationList;binary [ crldp_seq ] d1_c = SET:crldp_1_c d1_o = SET:crldp_1_o d1_ou = SET:crldp_1_ou d1_cn = SET:crldp_1_cn [ crldp_1_c ] d = SEQ:crldp_1_c_1 [ crldp_1_o ] d = SEQ:crldp_1_o_1 [ crldp_1_ou ] d = SEQ:crldp_1_ou_1 [ crldp_1_cn ] d = SEQ:crldp_1_cn_1 [ crldp_1_c_1 ] o = OID:2.5.4.6 v = PRINTABLESTRING:HR [ crldp_1_o_1 ] o = OID:2.5.4.10 v = PRINTABLESTRING:GIRICA [ crldp_1_ou_1 ] o = OID:2.5.4.11 v = PRINTABLESTRING:G1CA [ crldp_1_cn_1 ] o = OID:2.5.4.3 v = PRINTABLESTRING:GIRICA-Root-CA Or, in other words - I did everything manually using ASN1. Is there a better (more handy - and readable) way to achieve the same result? How to turn on those elegant options for CDP and IDP described in x509v3_config manpage? Cheers everybody! d. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
