Support of Indirect CRL and How to?

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Support of Indirect CRL and How to?

Romain Viau
Hi everybody,

I am trying to implement a complex PKI and some parts are based on a Indirect CRL issued by a specific certificate.

I found that the "openssl verify" command works fine if I had the CRL issuer as "-untrusted" argument.
But this check doesn't work if I only add the CRLIssuer cert in the CApath (with `openssl rehash` operation).

The CA issuing the User certificate is offline, so I coudn't manage its CRL and my final use case is to implement the CRL verification by a server like Nginx or Apache. So, can I make it work with SSL_CONF_cmd and with which parameters?