[Swan] Current state of CRL handling?

Nels Lindquist nlindq at maei.ca
Thu Sep 15 15:43:05 UTC 2016

On 2016/09/14 3:09 PM, Tuomo Soini wrote:

>>>>>  Attempts to import a CRL file into the NSS database using
>>>>> crlutil fail with "crlutil: unable to import CRL:
>>>>> SEC_ERROR_CRL_INVALID: New CRL has an invalid format."
> All crls are expected to be in der format but pem is supported too.
> Your error sounds like crl is not in correct format. That also explains
> why you don't see your crl in ipsec auto --listcrls.

Okay, not sure what's going on here, but upon further testing:

1.  Convert crl.pem to crl.der using

"crl -in crl.pem -out crl.der -outform der"

is successful.  Placing crl.der in /etc/ipsec.d/crls and performing

"ipsec auto --rereadcrls"

gives exactly the same success message as the PEM file did, but still no 
joy on "ipsec auto --listcrls".

2.  However, attempting to import the DER format file into the NSS 
database works, and (without doing another ipsec auto --reread),

"ipsec auto --listcrls"

now produces the following:

> 000
> 000 List of CRLs:
> 000
> 000 issuer: C=CA, ST=Alberta, L=Edmonton International Airport,
> O=Morningstar Air Express Inc., OU=Information Technology,
> CN=MAEI Root Certificate, E=root at maei.ca
> 000 revoked certs: 14
> 000 updates: this Tue Sep 13 14:01:02 2016
> 000          next Sun Mar 12 14:01:02 2017

So not sure what's going on with either the PEM format file or loading 
certs from /etc/ipsec.d/crls, neither of which are working in my case, 
but I appear to have a functioning workaround so it's not critical.

Nels Lindquist
<nlindq at maei.ca>

More information about the Swan mailing list