[openssl-users] Making a CRL with an authority key identifier

Ivan Rubinson soryy708 at gmail.com
Thu Jun 1 10:31:54 UTC 2017


Aha, I can't believe I missed that.
That's why an extra pair of fresh eyes is helpful.
Thank you Juan. I'll test this now.

On Thu, Jun 1, 2017 at 1:22 PM, Juan Angel Martin (AC Camerfirma) <
martin_ja at camerfirma.com> wrote:

> Hi,
>
>
>
> Uncomment line 54
>
> crl_extensions    = crl_ext
>
>
>
> BR
>
> Juan Ángel
>
>
>
> *De:* openssl-users [mailto:openssl-users-bounces at openssl.org] *En nombre
> de *Ivan Rubinson
> *Enviado el:* jueves, 1 de junio de 2017 12:15
> *Para:* openssl-users at openssl.org
> *Asunto:* [openssl-users] Making a CRL with an authority key identifier
>
>
>
> Hello,
>
> My name is Ivan, and I'm trying to get OpenSSL to make a CRL with an
> authority key identifier.
>
> (a third party API expects it from the CRL)
>
> I make my own CA, use it to sign a certificate, and then generate the CRL.
> This is the configuration file: https://pastebin.com/yL4UBtGW (it's
> basically the example configuration file with a few changes).
>
> Here are the commands I run:
>
> Making the CA:
>
> openssl req -new -x509 -days 3650 -extensions v3_ca -keyout
> private/cakey.pem -out cacert.pem -config req.cnf
>
> Making the certificate:
>
> openssl req -new -nodes -out pdf-req.pem -keyout private/pdf-pkey.pem
> -config req.cnf
> openssl ca -config req.cnf -out pdf-cert.pem -infiles pdf-req.pem
>
> Making the CRL:
>
> openssl ca -config req.cnf -gencrl -out crl.pem
>
>
>
> I'm using OpenSSL-Win64 0.9.8g
>
> Even though on line 251 I ask OpenSSL to have an authority key identifier,
> the generated CRL doesn't have it. I've searched on google and tried
> multiple things (like uncommenting issuerAltName, or giving it different
> options) and the CRL still doesn't have it.
>
> At this point I'm stumped, and I'd like to ask you nice people for help.
>
> Thank you in advance,
>
> Ivan Rubinson
>
>
>
>
> <https://www.avast.com/en-us/lp-safe-emailing-3108-b?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=oa-3108-b>
>
> Virus-free. www.avast.com
> <https://www.avast.com/en-us/lp-safe-emailing-3108-b?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=oa-3108-b>
>
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170601/ae0bc593/attachment-0001.html>


More information about the openssl-users mailing list