unable to publish my CRL correctly

Wed, 28 Apr 2010 23:38:16 -0700 

Hi,

 

I created a testing CA with openssl. I generated my root private key and my
self-sign root certificate. Then, I created a server authentication
certificate issued by my root certificate. I also created an empty CRL to be
publish that will last for a year. In the CRL distribution point of my
server authentication certificate, I put a URL from which to get the CRL. It
looks like this:

 

[1]CRL Distribution Point

     Distribution Point Name:

          Full Name:

               URL=http://www.mysite.com/crl/My_CA.crl

 

I have a server running Fedora with Apache and I put the file My_CA.crl in
the proper place so it can be downloaded from
http://www.mysite.com/crl/My_CA.crl. If I put the URL in IE or Firefox, I am
able to download the file without problems, but if I verify my server
authentication certificate by using either certutil -verify (Windows) or
openssl verify -crl_check. (Linux), they both display "unable to get
certificate CRL".

 

I am new to openssl. I don't know if I have to do something extra to publish
my CRL correctly so it can be available for downloading when requested.

 

This is how my CRL looks like:

 

Certificate Revocation List (CRL):

        Version 2 (0x1)

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: /C=US/O=Test/OU=Certificates Authorities/OU=Test Root CA

        Last Update: Apr 28 15:38:24 2010 GMT

        Next Update: Apr 28 15:38:24 2011 GMT

        CRL extensions:

            X509v3 Authority Key Identifier:

 
keyid:AD:C8:C1:A3:6B:87:7F:A9:45:C5:83:C5:57:57:D4:0E:4D:CF:4F:8D

 

            X509v3 CRL Number:

                1

No Revoked Certificates.

    Signature Algorithm: sha1WithRSAEncryption

        28:c4:aa:50:7e:e4:1e:90:b1:38:68:7f:76:17:79:a4:87:61:

        e7:32:dd:d1:81:ec:b6:99:ec:19:34:bb:5f:7e:cb:cd:9f:a3:

        23:9e:fc:e9:bd:b3:79:bb:87:eb:23:47:01:42:28:bd:e6:97:

        74:ac:8d:45:87:8f:17:79:fb:9b:df:73:42:d1:92:d5:bd:a1:

        97:48:b1:5e:14:a5:78:f7:55:46:b5:cb:3b:8b:cf:0c:c0:b7:

        49:da:df:a2:03:47:ba:29:55:80:5b:bb:4d:1e:26:bf:95:f1:

        63:fe:63:aa:21:a6:37:40:cb:a0:9b:d9:c0:1c:a0:8f:d3:a5:

        c0:1e:5d:99:b5:a3:f3:7d:b7:ea:3a:a7:8a:3a:48:73:99:53:

        00:78:3a:70:35:11:bf:b6:05:0d:0d:91:53:8f:54:f0:9d:a2:

        90:1f:2a:97:ca:f9:28:4e:80:a6:7a:7e:f9:6a:cd:f1:87:65:

        7c:ff:cb:c4:c6:85:6b:d1:f1:b2:73:75:1f:d6:9b:01:cb:58:

        fc:ff:6f:df:9c:4f:9c:17:5b:16:e5:c4:cd:28:12:d6:47:06:

        3c:a5:c9:8b:e6:6a:7b:e0:5d:82:c4:b3:1e:3d:f1:a0:cb:b8:

        82:fd:d7:d5:9d:a6:9c:56:3c:4a:ef:7f:1f:7d:7f:7e:e3:fe:

        1d:8c:65:12

 

Thanks in advance,

 

Alberto

Reply via email to