[openssl-users] Automatic download of CRL

Lei Kong leikong at msn.com
Fri Apr 21 00:47:22 UTC 2017

I am using 1.0.2g. CRL checking works fine on my certificate when I download and save CRL in PEM format locally.

I noticed that “openssl verify” has this option:
           Attempt to download CRL information for this certificate.

But it does not work for me. The CRL URL embedded in my certificate points to CRL file of DER format, maybe this is the reason “download” didn’t work?

If I want to enable “automatic download” in C code, do I have to provide a callback to X509_STORE_set_lookup_crls_cb or there is a simpler way (e.g. a flag)?
If I must provide such a callback, do I need to handle DER vs PEM encoding in the callback?

Thanks much.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170421/69f5a7f8/attachment.html>

More information about the openssl-users mailing list