x509 CRL v2

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

x509 CRL v2

Daniel García Franco
  Hello!

I use the v2 of CRL, and i have to revoke the certificates
with 2 extension, CRL Revoke Reason and InvalidityDate, i Know how to
pass the first extension to openssl when i revoke a certificate, but
i don´t know how to pass the second extension.

I´m using the next command to revoke the certificates:

$>openssl ca -revoke cert.pem -config my_openssl_config_file.conf
-crl_reason the_reason


Thanks!!!



--
Daniel García Franco E-mail: [hidden email]
Red.ES/RedIRIS                  Tel:+34 955 05 66 27
Edificio CICA
Avenida Reina Mercedes, s/n
41012 Sevilla
SPAIN

-Red Académica y Científica española (http://www.rediris.es/)-

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: x509 CRL v2

Dr. Stephen Henson
On Mon, Jan 16, 2006, Daniel Garca Franco wrote:

>  Hello!
>
> I use the v2 of CRL, and i have to revoke the certificates
> with 2 extension, CRL Revoke Reason and InvalidityDate, i Know how to
> pass the first extension to openssl when i revoke a certificate, but
> i don´t know how to pass the second extension.
>
> I´m using the next command to revoke the certificates:
>
> $>openssl ca -revoke cert.pem -config my_openssl_config_file.conf
> -crl_reason the_reason
>
>

You specify one of the options:

-crl_compromise TIME
-crl_CA_compromise TIME

this sets the reason code to keyCompromise or cACompromise and the invalidity
time to TIME. Where time is in GeneralizedTime format: "YYYYMMDDHHMMSSZ".

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: x509 CRL v2

Daniel García Franco
Dr. Stephen Henson wrote:

>On Mon, Jan 16, 2006, Daniel Garca Franco wrote:
>
>  
>
>> Hello!
>>
>>I use the v2 of CRL, and i have to revoke the certificates
>>with 2 extension, CRL Revoke Reason and InvalidityDate, i Know how to
>>pass the first extension to openssl when i revoke a certificate, but
>>i don´t know how to pass the second extension.
>>
>>I´m using the next command to revoke the certificates:
>>
>>$>openssl ca -revoke cert.pem -config my_openssl_config_file.conf
>>-crl_reason the_reason
>>
>>
>>    
>>
>
>You specify one of the options:
>
>-crl_compromise TIME
>-crl_CA_compromise TIME
>
>this sets the reason code to keyCompromise or cACompromise and the invalidity
>time to TIME. Where time is in GeneralizedTime format: "YYYYMMDDHHMMSSZ".
>  
>
    Thanks Steve,

     I would like to use other CRL Revoke Reason as "superseded",
"unspecified", etc... with the
CRL Entry Extension InvalidityDate, not that the use of CRL Entry
Extension InvelidityDate
force to set the CRL Revoke Reason to keyCompromise or cACompromise. ¿is
it possible?.

    Thanks again

best regards,

--
Daniel García Franco E-mail: [hidden email]
Red.ES/RedIRIS                  Tel:+34 955 05 66 27
Edificio CICA
Avenida Reina Mercedes, s/n
41012 Sevilla
SPAIN

- Red Académica y Científica española (http://www.rediris.es/) -

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: x509 CRL v2

Dr. Stephen Henson
On Tue, Jan 17, 2006, Daniel Garca Franco wrote:

>
>     I would like to use other CRL Revoke Reason as "superseded",
> "unspecified", etc... with the
> CRL Entry Extension InvalidityDate, not that the use of CRL Entry
> Extension InvelidityDate
> force to set the CRL Revoke Reason to keyCompromise or cACompromise. ¿is
> it possible?.
>

There aren't currently any command line options to support this. They will be
added at some point.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: x509 CRL v2

Daniel García Franco
Dr. Stephen Henson wrote:

>On Tue, Jan 17, 2006, Daniel Garca Franco wrote:
>
>  
>
>>    I would like to use other CRL Revoke Reason as "superseded",
>>"unspecified", etc... with the
>>CRL Entry Extension InvalidityDate, not that the use of CRL Entry
>>Extension InvelidityDate
>>force to set the CRL Revoke Reason to keyCompromise or cACompromise. ¿is
>>it possible?.
>>
>>    
>>
>
>There aren't currently any command line options to support this. They will be
>added at some point.
>  
>
    It´s posible pass the value of the InvalidityDate extension using
the openSSL primitives as a parameter?

       Thanks!

>Steve.
>--
>Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
>OpenSSL project core developer and freelance consultant.
>Funding needed! Details on homepage.
>Homepage: http://www.drh-consultancy.demon.co.uk
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [hidden email]
>Automated List Manager                           [hidden email]
>
>
>  
>


--
Daniel García Franco E-mail: [hidden email]
Red.ES/RedIRIS                  Tel:+34 955 05 66 27
Edificio CICA
Avenida Reina Mercedes, s/n
41012 Sevilla
SPAIN

- Red Académica y Científica española (http://www.rediris.es/) -

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]