[gnutls-help] CRL revoked certs ignored
Nikos Mavrogiannopoulos
nmav at gnutls.org
Mon Apr 20 12:40:57 CEST 2015
On Sun, Apr 19, 2015 at 11:38 AM, Victorian Spirit
<gnutls+etherape at kernelbug.org> wrote:
> Dear all,
> I'm trying to get slapd (compiled against libgnutls) working with CRL checking.
> So i created a CRL via certtool based on a cert i want to revoke.
> In slapd i used 'TLSCRLFile' this seems to be ignored.
> The client certificate is revoked and the CRL is verified with success,
> certtool --generate-crl --load-ca-privkey=ca-key.pem --load-ca-certificate=ca-cert.pem --outfile=crl.pem
This command generates an empty CRL. What is the output of crl-info?
For an example to generate a CRL using certtool see "Certificate
revocation list generation" in
http://www.gnutls.org/manual/html_node/certtool-Invocation.html
> gnutls-serv --x509keyfile=clients/lrc-ldap.key \
> --x509certfile=clients/lrc-ldap.crt \
> --x509crlfile=crl.pem \
> --x509cafile=ca-cert.pem --echo
This command does not verify the client certificate. To enable client
certificate verification use "-r" or --verify-client-cert.
regards,
Nikos
More information about the Gnutls-help
mailing list