[prev in list] [next in list] [prev in thread] [next in thread]
List: openssl-users
Subject: FW: CRL
From: Sarath Chandra M <sarath () uaeexcent ! co ! ae>
Date: 2001-11-29 14:05:46
[Download RAW message or body]
Hafida,
I had a similar problem sometime back. I hav attached
Below some responses I got at that time. Let me know if u
get any info and when u do it successfully.
Read from the bottom.
-----Original Message-----
From: gerardo.maiorano@tiscalinet.it [mailto:gerardo.maiorano@tiscalinet.it]
Sent: 26 September 2001 12:30
To: Sarath Chandra M
Subject: RE: CRL how to
Hi,
Openssl does not automatically provide certificate management, for example
the certificate revocation. In this case you must write a program that
handles the file index.txt (which, in turn, is handled also by openssl CA).
The entry before the serial number is the time when the certificate has been
revoked by the certificate authority. The symbol R into the first field
stands for "this certificate has been revoked"; while the symbol V stands
for "this certificate is valid and expires on date indicated in the second
field". The two statements must be used for creating the PKCS7 file that
should be used by applications.
The file index.txt is a simple database used by openssl to track the issuing
of certificates, however a complete manipulation of this database is out of
the scope of openssl library. The modification of the file index.txt are
used from the openssl command "ca" to make the CRL. At this point, this
modification should handled by your software.
-- Messaggio Originale --
>Hi,
> Thank you very much for the immdt reply. You have asked
>me to modify the entries in the index.txt file. But there is an
>additional number in each entry just before the serial no. How is it
>obtained ? And doesn't changing the first character V to R give any
>problem ?
>
>What is the relation between the following two
>statements and the above modification :
>
>ca -gencrl -crldays 30 -out temp.pem
>crl2pkcs7 -in temp.pem -out pkcs7_crl.pem
>
>thanx n regards
>Sarath Chandra M
>-----Original Message-----
>From: gerardo.maiorano@tiscalinet.it
>[mailto:gerardo.maiorano@tiscalinet.it]
>Sent: 25 September 2001 13:28
>To: openssl-users@openssl.org
>Subject: RE: CRL how to
>
>
>Hi Sarath,
>In the openssl CA Directory there is a file named "index.txt" which
>contains a summary of the issued certificate. For example:
>V 020925082220Z 01 unknown
>/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=Goofy
>V 020925082341Z 02 unknown /C=AU/ST=New
>Zeland/L=Wellington/O=Internet
>Widgits Pty Ltd/OU=uncle duck/CN=Gogo
>This entries must be modified in order to make the CRL:
>R 020925082220Z 010925090120Z 01 unknown
>/C=AU/ST=Some-State/O=Internet
>Widgits Pty Ltd/CN=Goofy
>R 020925082341Z 010925092341Z 02 unknown /C=AU/ST=New
>Zeland/L=Wellington/O=Internet
>Widgits Pty Ltd/OU=uncle duck/CN=Gogo
>
>At this point just enter the following statements at prompt:
>$ ca -gencrl -crldays 30 -out temp.pem
>$ crl2pkcs -in temp.pem -out pkcs7_crl.pem
>
>At this point you have a PKCS7 file containing a CRL, which can be
>imported into whatever application supporting it.
>
>Best Regards
> [Gerardo Maiorano]
>
>-- Original Message --
>
>>
>>Hi,
>> I have installed openssl and have started generating client
>>certificates. I would like to know, how I can create and maintain
>>CRLs.
>>
>>I would appreciate if anybody provides any help or resource pointers
>>for this.
>>
>>thanx in advance
>>Sarath Chandra M
>>
>>
[Attachment #3 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2650.12">
<TITLE>FW: CRL</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>Hafida,</FONT>
<BR> <FONT SIZE=2>I had a similar problem \
sometime back. I hav attached</FONT> <BR><FONT SIZE=2>Below some responses I got at \
that time. Let me know if u</FONT> <BR><FONT SIZE=2>get any info and when u do it \
successfully.</FONT> <BR><FONT SIZE=2>Read from the bottom.</FONT>
</P>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: gerardo.maiorano@tiscalinet.it [<A \
HREF="mailto:gerardo.maiorano@tiscalinet.it">mailto:gerardo.maiorano@tiscalinet.it</A>] \
</FONT> <BR><FONT SIZE=2>Sent: 26 September 2001 12:30</FONT>
<BR><FONT SIZE=2>To: Sarath Chandra M</FONT>
<BR><FONT SIZE=2>Subject: RE: CRL how to</FONT>
</P>
<BR>
<P><FONT SIZE=2>Hi, </FONT>
<BR><FONT SIZE=2>Openssl does not automatically provide certificate management, for \
example the certificate revocation. In this case you must write a program that \
handles the file index.txt (which, in turn, is handled also by openssl CA). The entry \
before the serial number is the time when the certificate has been revoked by the \
certificate authority. The symbol R into the first field stands for "this \
certificate has been revoked"; while the symbol V stands for "this \
certificate is valid and expires on date indicated in the second field". The two \
statements must be used for creating the PKCS7 file that should be used by \
applications.</FONT></P>
<P><FONT SIZE=2>The file index.txt is a simple database used by openssl to track the \
issuing of certificates, however a complete manipulation of this database is out of \
the scope of openssl library. The modification of the file index.txt are used from \
the openssl command "ca" to make the CRL. At this point, this modification \
should handled by your software.</FONT></P> <BR>
<P><FONT SIZE=2>-- Messaggio Originale --</FONT>
</P>
<P><FONT SIZE=2>>Hi,</FONT>
<BR><FONT SIZE=2>> Thank you very much for the \
immdt reply. You have asked</FONT> <BR><FONT SIZE=2>>me to modify the entries in \
the index.txt file. But there is an </FONT> <BR><FONT SIZE=2>>additional number in \
each entry just before the serial no. How is it </FONT> <BR><FONT SIZE=2>>obtained \
? And doesn't changing the first character V to R give any </FONT> <BR><FONT \
SIZE=2>>problem ?</FONT> <BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>What is the relation between the following two</FONT>
<BR><FONT SIZE=2>>statements and the above modification :</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>ca -gencrl -crldays 30 -out temp.pem</FONT>
<BR><FONT SIZE=2>>crl2pkcs7 -in temp.pem -out pkcs7_crl.pem</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>thanx n regards</FONT>
<BR><FONT SIZE=2>>Sarath Chandra M</FONT>
<BR><FONT SIZE=2>>-----Original Message-----</FONT>
<BR><FONT SIZE=2>>From: gerardo.maiorano@tiscalinet.it </FONT>
<BR><FONT SIZE=2>>[<A \
HREF="mailto:gerardo.maiorano@tiscalinet.it">mailto:gerardo.maiorano@tiscalinet.it</A>]</FONT>
<BR><FONT SIZE=2>>Sent: 25 September 2001 13:28</FONT>
<BR><FONT SIZE=2>>To: openssl-users@openssl.org</FONT>
<BR><FONT SIZE=2>>Subject: RE: CRL how to</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>Hi Sarath,</FONT>
<BR><FONT SIZE=2>>In the openssl CA Directory there is a file named \
"index.txt" which </FONT> <BR><FONT SIZE=2>>contains a summary of the \
issued certificate. For example:</FONT> <BR><FONT \
SIZE=2>>V 020925082220Z \
01 \
unknown</FONT> <BR><FONT SIZE=2>>/C=AU/ST=Some-State/O=Internet Widgits Pty \
Ltd/CN=Goofy</FONT> <BR><FONT SIZE=2>>V \
020925082341Z \
02 unknown /C=AU/ST=New</FONT> <BR><FONT \
SIZE=2>>Zeland/L=Wellington/O=Internet</FONT> <BR><FONT SIZE=2>>Widgits Pty \
Ltd/OU=uncle duck/CN=Gogo</FONT> <BR><FONT SIZE=2>>This entries must be modified \
in order to make the CRL:</FONT> <BR><FONT SIZE=2>>R \
020925082220Z 010925090120Z 01 \
unknown</FONT> <BR><FONT SIZE=2>>/C=AU/ST=Some-State/O=Internet</FONT>
<BR><FONT SIZE=2>>Widgits Pty Ltd/CN=Goofy</FONT>
<BR><FONT SIZE=2>>R 020925082341Z \
010925092341Z 02 unknown \
/C=AU/ST=New</FONT> <BR><FONT SIZE=2>>Zeland/L=Wellington/O=Internet</FONT>
<BR><FONT SIZE=2>>Widgits Pty Ltd/OU=uncle duck/CN=Gogo</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>At this point just enter the following statements at \
prompt:</FONT> <BR><FONT SIZE=2>>$ ca -gencrl -crldays 30 -out temp.pem</FONT>
<BR><FONT SIZE=2>>$ crl2pkcs -in temp.pem -out pkcs7_crl.pem</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>At this point you have a PKCS7 file containing a CRL, which can \
be </FONT> <BR><FONT SIZE=2>>imported into whatever application supporting \
it.</FONT> <BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>Best Regards</FONT>
<BR><FONT SIZE=2>> \
\
\
[Gerardo Maiorano]</FONT> <BR><FONT \
SIZE=2>></FONT> <BR><FONT SIZE=2>>-- Original Message --</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>></FONT>
<BR><FONT SIZE=2>>>Hi,</FONT>
<BR><FONT SIZE=2>>> I have installed openssl and have started \
generating client </FONT> <BR><FONT SIZE=2>>>certificates. I would like to \
know, how I can create and maintain </FONT> <BR><FONT SIZE=2>>>CRLs.</FONT>
<BR><FONT SIZE=2>>> </FONT>
<BR><FONT SIZE=2>>>I would appreciate if anybody provides any help or resource \
pointers </FONT> <BR><FONT SIZE=2>>>for this.</FONT>
<BR><FONT SIZE=2>>> </FONT>
<BR><FONT SIZE=2>>>thanx in advance</FONT>
<BR><FONT SIZE=2>>>Sarath Chandra M</FONT>
<BR><FONT SIZE=2>>> </FONT>
<BR><FONT SIZE=2>>></FONT>
</P>
</BODY>
</HTML>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic