Hello all, Thanks a lot. The trouble was in (outdated) info in the only relevant doc on the openssl web I found, ie. x509v3_config(5) (http://www.openssl.org/docs/apps/x509v3_config.html#CRL_distribution_points_) where you can find: ===quot=== Full distribution point example:
crlDistributionPoints=crldp1_section [crldp1_section] fullname=URI:http://myhost.com/myca.crl CRLissuer=dirName:issuer_sect reasons=keyCompromise, CACompromise [issuer_sect] C=UK O=Organisation CN=Some Name ===/quot=== that leads to the mentioned errors the syntax given by Steve: crlDistributionPoints = @crldp_section [crldp_section] URI.1=ldap:///<AD_crl_info_here> URI.2=http://<webpage_with_crl_file_here> works fine. Please consider to update the doc. Zbynek Krejcik -----Original Message----- From: "Dr. Stephen Henson" <st...@openssl.org> To: Zbyn??k Krej??ík <supp...@shocart.cz> Date: Wed, 14 Jan 2009 18:39:10 +0100 Subject: Re: CRLDP in OSSL CA > On Wed, Jan 14, 2009, Zbyn??k Krej??k wrote: > > > Hello, > > > > Sorry for using your time, but I'd like to know whether am I missing > > something obvious or is there a missing feature or tiny bug... I'll try > to > > describe as precisely as I can: > > > > I set up an OpenSSL CA (a chain, in fact) to generate certificates for > > windows 2k8 based AD domain. (win32 ossl 0.9.8i full install running on > w2k3) > > There were no major problems setting things up for a http based CRL using > > extension: > > ==== > > crlDistributionPoints = URI:http://<webpage_with_crl_file_here> > > ==== > > But one of the domain controllers is a w2k8 core server with no http > support, > > so I was forced to publish CRLs into AD and add an ldap path. > > Using the examples in x509v3_config(5) and (open)ssl certificates Howto > (and > > later on whatever I found elsewhere) I tried: > > ==== > > crlDistributionPoints = @crldp_section > > [crldp_section] > > fullname = URI:ldap:///<AD_crl_info_here> > > ==== > > with error 3332:error:22075075:X509 V3 > > routines:v2i_GENERAL_NAME_ex:unsupported > > option:.\....\v3_alt.c:509:name=fullname > > > > > > Ah, did you use the docs on www.openssl.org? Those correspond to the > current > development version of OpenSSL which may have some features others lack. > That > CRLDP syntax is one such feature... > > This example shows the more restricted syntax of previous versions: > > crlDistributionPoints = @crldp_section > > [crldp_section] > URI.1=http://somedistpoint.com/number1 > URI.2=http://somedistpoint.com/number2 > URI.3=ldap://somedistpoint.com/some,stuff,with,loads,of,commas > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > OpenSSL project core developer and freelance consultant. > Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
