cURL / Mailing Lists / curl-library / Single Mail


Re: Verify server certificate using CRL

From: Michael Wood <>
Date: Thu, 2 Apr 2009 08:46:50 +0200

On Wed, Apr 1, 2009 at 4:51 PM, Asaf Cohen <> wrote:
> One more thing, it doesnít make sense to me when I want to check if
> certificate is valid, to trust itís property of distribution points,
> Itís like when you need to identify yourself saying: ďcall this number to
> ask if itís meÖĒ

I don't know the answer to your other question, but you should get the
CRL URL from the CA's certificate, not from the web server's (or
whatever) certificate.

e.g. if I run "openssl x509 -text </path/to/cacert.pem" on one of the
CA certs on a Linux box, I get:

        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DirName:/CN=OCSP 1-4
            X509v3 CRL Distribution Points:

Michael Wood <>
Received on 2009-04-02