how to disable crlDistributionPoints extension?
yukou katori
k10lie.tech at yahoo.co.uk
Thu Mar 17 15:09:05 CET 2016
Hi,
I have a problem that crlDistributionPoints is included in server certification.This forces clients to check CRL via http.For the sake of simplicity for my setup, I don't want clients to check CRL via HTTP.# checking CRL stored in clients locally is enough (e.g. in StrongSwan, ipsec.d/crls/)
I deleted the following parameter in ca.cnf (I'm using FR3.0.10)[v3_ca]subjectKeyIdentifier = hashauthorityKeyIdentifier = keyid:always,issuer:alwaysbasicConstraints = critical,CA:truecrlDistributionPoints = URI:http://www.example.org/example_ca.crl <<< HERE
I performed "make ca.pem"Then I made server certification and CDP is included as follows:openssl x509 -text -noout -in server.pemCertificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=JP, ST=Tokyo, L=XXX, O=XXX/emailAddress=XXX at XXX, CN=FR-CA Validity Not Before: Mar 16 15:02:23 2016 GMT Not After : Mar 11 15:02:23 2036 GMT Subject: C=JP, ST=Tokyo, O=XXX, CN=FR-Svr/emailAddress=XXX at XXX(snip) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 CRL Distribution Points: <<< HERE!!! Full Name: URI:http://www.example.com/example_ca.crl
My idea is wrong?
Regards,
More information about the Freeradius-Users
mailing list