EAP-TLS CRL problem - a PKIX guru around?

[Adam Bishop]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 10 Mar 2015, at 13:47, Stefan Winter <stefan.winter at restena.lu> wrote:
So... the smoking gun line is "error 44 : Different CRL scope".

I suspect the issue is with the certificate itself - there are a few x509 extensions that mean a CRL is asserted to only have certificates revoked for certain reasons, or be partitioned into multiple CRL's. In short, I think OpenSSL believes the CRL is incomplete.

What does openssl x509 -noout -text -in <crt> say?

Regards,

Adam Bishop

  gpg: 0x6609D460

jisc.ac.uk

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJU/wE5AAoJEKTthRWhpiMvxOcP/3+N4/sXpM4LQ0OtcYE+8WY7
NGQrJJw3VjmRxdLOhsopz9d6oRrIy5ZgZ5yrBZ9ofB/S5wJKvvzh2NYqF/ltmgZA
O8tSajWmyjdaQ47lFojPVAhHes/vwfXHPmmoTkrh0c3mh40X6hNC+vwrpK29rEHR
eUZVnTN0sRImcXjTGLsoer2hC5ib703RXNMKJzNyKqW+D2DgaajnP9oTrYpnf7jp
k0b0ItwvGJsKFMxNKM030MjprKtNqwEI4eLDF1CNSL3DZAs7wfgE/y9E6CpQwcYu
MsD4QEwDk/EILOuzsbwqIMXADFYGAYir5+SND6LDgdJFkBCwxvPNt+4dAbGa6GJB
+wMfkuGYjI8NZgshdml0w973mndK81gMhV/giaN/OIGQqMjQMFjh+B8dUUn/lx0Z
qzdbB/kZZCDGNwIGvQMMQbQ+g26CVcRNp0av6YHeORX/laE/d7TeeCB02zT8cKzB
GZPwC+WrVv6gXCz3OI/pynS0+CD8zaD8u1+w184h6Vp9vJsRFPFruB9dd5XO/686
fOO2rU6/OhPNQiPzHyNE3zkn891hIG/ewV613Ov1GRm64za7tVvI63/o2203+4Wo
qWPexXy7n/6n/rj68nbiX4wZHt66bnDDtq1UnzHBvn403IgPJ3NJqqmh/AH8NFz5
zunMmsr+BPVbXDwSRdZI
=I4vn
-----END PGP SIGNATURE-----

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.