On Mar 18, 2014, at 2:19 PM, Clesmon University <www.clemson....@gmail.com> wrote:
> Hello: > > What I can find online or in book "Network security with OpenSSL" is using > command line to generte a CRL. However, what I want to do is to let my > server receive a serial number from outside interface and generate a CRL. I > have looked many place and never find a article to mention it. > > Can anyone help or show me how to do it? It depends a little on how you track your CRLs and certificates (or how you want to do it). Basically, you’ll need to create an X509_CRL and an X509_REVOKED, and use X509_CRL_add0_revoked(), and then don’t forget to sign the new CRL (and add any extensions you need/want). You should save the serial number or CRL somewhere, so that future updates will still show the previously revoked certificates as revoked. If you look at the openssl source code, at apps/ca.c, you’ll see how the openssl command line deals with this (hint: it creates/updates a file that tracks the revoked certificate serial numbers and other relevant info, then uses another command to generate CRLs with each revoked certificate serial number as requested). If go the route of keeping just the previously generated CRL, you’ll probably want to use d2i_X509_CRL/i2d_X509_CRL (or maybe one of the PEM/BIO/fp variants), and when revoking something new, create a new CRL with all of the original data. I seem to recall that trying to use the same X509_CRL structure was more trouble than it was worth, so I always created a fresh one. Also, be sure you know your use cases well before trying to decide if you want to generate a new CRL every time or not. That may be necessary, or that might be wasted CPU cycles and disk space. :) TOM <snip>______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
