Re: OpenSSL question

[Patrick J Kobly <patrick () kobly com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

mgk.mailing wrote:
> Hi All
>
> I'm Working on a certificate authority using open ssl and have been for
> the most part successful over the last 6 months.  Now the trial period
> is over there has been one thing i keep stubbing my toe on and i was
> hoping someone would be able to help/point me in the right direction.
> I am trying to encode the CRL location into the certificates so that
> they can be automatically updated to revoked certificates.  I know that
> alot of devices allow you to specify the address manually but was hoping
> that you could generate it as part of either the root CA certificate,
> Signed device certificate or the signed crl.

See RFC2459 for info on the crlDistributionPoints extension, and openssl
doco for same.  (Basically, an option that looks like:
crlDistributionPoints=URI:http://www.example.com/my.crl) in the relevant
section of openssl.cnf)...  Also,
nsCaRevocationUrl=http://www.example.com/my.crl for an non-standard
pointer that still appears to be used...


PK
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHe91/CODE1AJ6UNoRAgKMAJ0TZwo42zvlxSbXC9+wm+dqEE6dRwCfQm6B
DukjJ4KFT7O/psauil1kpg0=
=67XG
-----END PGP SIGNATURE-----