[Help-gnutls] Empty CRL

Aaron VanDevender sig at netdot.net
Tue Jun 20 00:59:49 CEST 2006

On Mon, 2006-06-19 at 19:17 +0200, Nikos Mavrogiannopoulos wrote:
> On Mon 19 Jun 2006 16:14, Aaron VanDevender wrote:
> > Is there a way to use certtool to create an empty CRL? If I say:
> > $ certtool --load-ca-certificate ca-cert.pem --load-ca-privkey \
> >   ca-key.pem --generate-crl --outfile crl.pem
> With the current certtool I don't think so. But why would you need an 
> empty CRL list?

So that I can write a program that just says:

gnutls_certificate_set_x509_crl_file (cert_cred, CRLFILE,

Just like in Example Server 7.4.2 and not have to first check that
CRLFILE is empty or not.

Also, and more importantly, the CRL file has useful stuff in it in
addition to revocation certificates, like a CRL expiration date, so that
when I'm setting up a new CA, and there haven't been any revoked certs
yet, clients can still download the CRL and learn that 1) nothing has
been revoked yet, and 2) when they can expect a new CRL to be published
that might contain a revoked certificate. Without that clients have no
idea whether to check for the next CRL in ten minutes or in ten years.
So they have to guess, and when I finally do issue a new CRL, I don't
know how long it will take till all the clients have gotten the new one,
and thus closed the abuse window on the old revoked certificate.

In other words, we need to be able to create empty CRLs. It's as shame
that it cannot be done with certtool. I'll use openssl for now:

openssl ca -config ./openssl.cnf -gencrl -out crl.pem -keyfile
ca-key.pem -cert ca-cert.pem

But it would be nice if I could use GnuTLS as a complete PKI solution.


sig at netdot.net
Plead the First.

More information about the Gnutls-help mailing list