[Swan-dev] Libreswan library not taking CRLs from the certificate link.

Tuomo Soini tis at foobar.fi
Wed Dec 18 10:00:45 UTC 2019

On Wed, 18 Dec 2019 00:46:39 +0530
Utkarsh Kumar <utkarshkumar84 at gmail.com> wrote:

> Hi Paul,
>       Thanks for the response, yes my CA certificate doesn't have CRL
> attribute but I check many other CA certificate and out of 10 for
> example , only one CA certificate had the CRL distribution point.

In this cause having CRL distribution point only in end certificate
causes chicken egg problem. When you request strict crl checking that
means you won't accept the certificate without crl. And when you don't
have crl loaded _before_ you can't accept the certificate to get the
crl distribution point from the cert.

So you really must load the crl manually to your nss database with
crlutil to be able to accept the certificate first time.

Again. This doesn't belong to swan-dev mailinglist, please switch to
swan list.

Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>

More information about the Swan-dev mailing list