On Wed, Jul 30, 2014, Jason Schultz wrote: > OK. So as far as you're aware, there's not a way to avoid the requirement of > the combined root cert/CRL file when checking for revoked certificates? I > would prefer to just have to deal with the CRL in PEM format, but the CRL > file must always be the CRL appended to the root cert, as far as I can tell. > Thanks for your prompt responses, by the way. >
The CRL can come from anywhere as long as it is supplied to OpenSSL in the appropriate way. There are some standard places a CRL can be included such as a file or directory containing the set of trusted certificates but it is not a requirement. I can't really comment more without seeing a sample of how your code is loading the CRL and how it is enabling CRL checks. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
