Hi, I have a problem that crlDistributionPoints is included in server certification.This forces clients to check CRL via http.For the sake of simplicity for my setup, I don't want clients to check CRL via HTTP.# checking CRL stored in clients locally is enough (e.g. in StrongSwan, ipsec.d/crls/) I deleted the following parameter in ca.cnf (I'm using FR3.0.10)[v3_ca]subjectKeyIdentifier = hashauthorityKeyIdentifier = keyid:always,issuer:alwaysbasicConstraints = critical,CA:truecrlDistributionPoints = URI:http://www.example.org/example_ca.crl <<< HERE I performed "make ca.pem"Then I made server certification and CDP is included as follows:openssl x509 -text -noout -in server.pemCertificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=JP, ST=Tokyo, L=XXX, O=XXX/emailAddress=XXX@XXX, CN=FR-CA Validity Not Before: Mar 16 15:02:23 2016 GMT Not After : Mar 11 15:02:23 2036 GMT Subject: C=JP, ST=Tokyo, O=XXX, CN=FR-Svr/emailAddress=XXX@XXX(snip) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 CRL Distribution Points: <<< HERE!!! Full Name: URI:http://www.example.com/example_ca.crl My idea is wrong? Regards,