[openssl-users] Something causing "Error 12"/Expired CRL during CRL processing

Dr. Stephen Henson steve at openssl.org
Wed Mar 9 19:01:38 UTC 2016

On Wed, Mar 09, 2016, o haya wrote:

> Question:  What exactly is determines the ORDER in which the CRLs would be selected?
> In other words, say there were two CRL files (the previous one and the current one) but one hash (only .r0) pointing to the current CRL file.  The reason for my question is that we're (or I) am still trying to understand why we'd get the Error 12/Expired CRL?  
> In this case, there'd be only one hash/soft link, pointing to one of the CRL files, and no softlink pointing to the other CRL file.
> So how does OpenSSL (or Apache?) decide which of the CRLs to work with?

If you only have one CRL in the the form <hash>.r0 then that will get loaded.
What may have happened in your case was that there were two CRLs with the
same issuer name and the hash file only pointed to the one which was not up to
date. So OpenSSL would only load that one case and you'd get that error.

If you had CRLs of the form .r0, .r1 etc then it should've loaded both and
used the more recent one.

When you have CRLs bundled in a file they all get loaded so it will see both
and use the appropriate case.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list