Hi Phil, openssl is able to read the crl, output als follows (I changed the URL/LDAP information): Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: /DC=tld/DC=domain/CN=test Last Update: Mar 5 14:08:35 2011 GMT Next Update: Mar 13 02:28:35 2011 GMT CRL extensions: X509v3 Authority Key Identifier: keyid:37:F6:0A:2D:71:71:DF:5B:F5:DB:90:FF:E4:4B:82:78:89:CB:E4:70 1.3.6.1.4.1.311.21.1: ... X509v3 CRL Number: 20 1.3.6.1.4.1.311.21.4: 110312141835Z . 2.5.29.46: 0..0...........ldap:///blah,blah,blah 1.3.6.1.4.1.311.21.14: 0..0...........ldap:///blah,blah,blah X509v3 Issuing Distrubution Point: critical 0-.+.).'http://domain.test/CA.crl Revoked Certificates: Serial Number: 3459AE3300000000001D Revocation Date: Mar 5 14:18:00 2011 GMT Serial Number: 33C46D66000000000014 Revocation Date: Mar 5 13:57:00 2011 GMT Serial Number: 131C3587000000000008 Revocation Date: Feb 16 07:24:00 2011 GMT Serial Number: 130CDC92000000000006 Revocation Date: Feb 16 07:24:00 2011 GMT Signature Algorithm: sha256WithRSAEncryption 5f:b6:ab:6e:30:cd:47:c2:97:e5:e9:3b:bc:c9:8e:76:22:74: ee:95:c5:1e:54:ed:a6:67:c7:a5:e1:90:d5... At least this seems to work... I forgot one thing: I think it *worked* during my first try. The error started when I downloaded the CRL for a second (third, fourth....) time. Am 08.03.2011 14:06, schrieb Phil Mayers:
On 08/03/11 13:01, Rudolph Bott wrote:
Tue Mar 8 13:09:48 2011 : Error: --> verify error:num=36:unhandled critical CRL extension
This comes out of OpenSSL. OpenSSL can't parse your CRL.
You may need a newer version of OpenSSL; what does:
openssl crl -text -noout -in <thefile.pem> -inform pem
...say? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Mit freundlichen Grüßen/With Kind Regards Rudolph Bott