[openssl-users] Something causing "Error 12"/Expired CRL during CRL processing

Dr. Stephen Henson steve at openssl.org
Tue Mar 8 19:46:05 UTC 2016

On Tue, Mar 08, 2016, o haya wrote:

> Our websites are configured for SSL client authentication with CRLs in a directory pointed to by SSLCACertificateRevocationPath and SSLCARevocationCheck set to "chain".  We then place our CRLs in the directory and create the hashes for them using an app or script that we wrote.  I think that this essentially does something like:
> ln -s ca.crl `openssl crl -hash -noout -in ca.crl`.r0
> However, when we did a test upgrade one of our production instances the requests are failing and, in the error logs, we are seeing the following messages:

A couple of possibilities. One is that the time isn't properly set on the
machine which has this problem. Another is that there may be multiple CRLs
with the same hash: have you checked for that? If there are you need to use
the form .r1, .r2 etc.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list