cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Verify server certificate using CRL

From: Michael Wood <esiotrot_at_gmail.com>
Date: Thu, 2 Apr 2009 08:46:50 +0200

On Wed, Apr 1, 2009 at 4:51 PM, Asaf Cohen <asafco_at_checkpoint.com> wrote:
[...]
> One more thing, it doesnít make sense to me when I want to check if
> certificate is valid, to trust itís property of distribution points,
>
> Itís like when you need to identify yourself saying: ďcall this number to
> ask if itís meÖĒ

I don't know the answer to your other question, but you should get the
CRL URL from the CA's certificate, not from the web server's (or
whatever) certificate.

e.g. if I run "openssl x509 -text </path/to/cacert.pem" on one of the
CA certs on a Linux box, I get:

[...]
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DirName:/CN=OCSP 1-4
            X509v3 CRL Distribution Points:
                URI:http://crl.verisign.com/RSASecureServer-p.crl
[...]

-- 
Michael Wood <esiotrot_at_gmail.com>
Received on 2009-04-02