[openssl-users] Making a CRL with an authority key identifier

Ivan Rubinson soryy708 at gmail.com
Thu Jun 1 10:15:13 UTC 2017


My name is Ivan, and I'm trying to get OpenSSL to make a CRL with an
authority key identifier.
(a third party API expects it from the CRL)

I make my own CA, use it to sign a certificate, and then generate the CRL.
This is the configuration file: https://pastebin.com/yL4UBtGW (it's
basically the example configuration file with a few changes).

Here are the commands I run:
Making the CA:

> openssl req -new -x509 -days 3650 -extensions v3_ca -keyout
> private/cakey.pem -out cacert.pem -config req.cnf
Making the certificate:

> openssl req -new -nodes -out pdf-req.pem -keyout private/pdf-pkey.pem
> -config req.cnf
> openssl ca -config req.cnf -out pdf-cert.pem -infiles pdf-req.pem
Making the CRL:

> openssl ca -config req.cnf -gencrl -out crl.pem

I'm using OpenSSL-Win64 0.9.8g

Even though on line 251 I ask OpenSSL to have an authority key identifier,
the generated CRL doesn't have it. I've searched on google and tried
multiple things (like uncommenting issuerAltName, or giving it different
options) and the CRL still doesn't have it.
At this point I'm stumped, and I'd like to ask you nice people for help.

Thank you in advance,
Ivan Rubinson

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170601/4a3a6e80/attachment.html>

More information about the openssl-users mailing list