Problem with CRL handling
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I am not sure whether our issue is a problem within
ca-certificates-java or ca-certificates or the Debian Policy about SSL
or whatever, but there certainly is an issue:
We use our own CA for host certificates. As hosts get deleted, their
certificates get revoked. So it is important that the CRL is updated
and used everywhere.
Now the policy says that local CA certificates should be installed in
/usr/local/share/ca-certificates/*.crt
This works as expected. We then tried to install the CRL in the same
place. This DOES work for the symlink generation. It does however NOT
WORK for the java keystore generation:
root@barbarella[ca-certificates]# update-ca-certificates
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
Warning: there was a problem reading the certificate file
/etc/ssl/certs/server-ca-imt-crl.pem. Message:
java.io.IOException: Invalid encoded CertificateValidity, starting
sequence tag missing.
done.
done.
This looks like a CRL being mistaken as a certificate. As far as I
know the Java keystore cannot hold CRLs, so the error is right. But
the question remains: Where should I install my CRL that the default
Debian mechanisms work as expected?
Thanks for clarifying. If you would like me to open a bug against any
package I will do so.
Regards,
Christopher
- --
======================================================
Dipl.-Ing. Christopher Odenbach
Zentrum fuer Informations- und Medientechnologien
Universitaet Paderborn
Raum N5.314
odenbach@uni-paderborn.de
Tel.: +49 5251 60 5315
======================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iD8DBQFY21azhxiCJKeLY0IRAhmSAKCRP6n87sfjWZE8uUNCrujSIpkjdACfT8vk
McCEDIwKxJ+PCkDagmFJEk4=
=TkAd
-----END PGP SIGNATURE-----
Reply to: