[Swan] Current state of CRL handling?
Nels Lindquist
nlindq at maei.ca
Thu Sep 15 15:43:05 UTC 2016
On 2016/09/14 3:09 PM, Tuomo Soini wrote:
>>>>> Attempts to import a CRL file into the NSS database using
>>>>> crlutil fail with "crlutil: unable to import CRL:
>>>>> SEC_ERROR_CRL_INVALID: New CRL has an invalid format."
>>>>
>
> All crls are expected to be in der format but pem is supported too.
> Your error sounds like crl is not in correct format. That also explains
> why you don't see your crl in ipsec auto --listcrls.
Okay, not sure what's going on here, but upon further testing:
1. Convert crl.pem to crl.der using
"crl -in crl.pem -out crl.der -outform der"
is successful. Placing crl.der in /etc/ipsec.d/crls and performing
"ipsec auto --rereadcrls"
gives exactly the same success message as the PEM file did, but still no
joy on "ipsec auto --listcrls".
2. However, attempting to import the DER format file into the NSS
database works, and (without doing another ipsec auto --reread),
"ipsec auto --listcrls"
now produces the following:
> 000
> 000 List of CRLs:
> 000
> 000 issuer: C=CA, ST=Alberta, L=Edmonton International Airport,
> O=Morningstar Air Express Inc., OU=Information Technology,
> CN=MAEI Root Certificate, E=root at maei.ca
> 000 revoked certs: 14
> 000 updates: this Tue Sep 13 14:01:02 2016
> 000 next Sun Mar 12 14:01:02 2017
So not sure what's going on with either the PEM format file or loading
certs from /etc/ipsec.d/crls, neither of which are working in my case,
but I appear to have a functioning workaround so it's not critical.
Nels Lindquist
----
<nlindq at maei.ca>
More information about the Swan
mailing list