Problem with CRL handling
-----BEGIN PGP SIGNED MESSAGE-----
I am not sure whether our issue is a problem within
ca-certificates-java or ca-certificates or the Debian Policy about SSL
or whatever, but there certainly is an issue:
We use our own CA for host certificates. As hosts get deleted, their
certificates get revoked. So it is important that the CRL is updated
and used everywhere.
Now the policy says that local CA certificates should be installed in
This works as expected. We then tried to install the CRL in the same
place. This DOES work for the symlink generation. It does however NOT
WORK for the java keystore generation:
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
Warning: there was a problem reading the certificate file
java.io.IOException: Invalid encoded CertificateValidity, starting
sequence tag missing.
This looks like a CRL being mistaken as a certificate. As far as I
know the Java keystore cannot hold CRLs, so the error is right. But
the question remains: Where should I install my CRL that the default
Debian mechanisms work as expected?
Thanks for clarifying. If you would like me to open a bug against any
package I will do so.
Dipl.-Ing. Christopher Odenbach
Zentrum fuer Informations- und Medientechnologien
Tel.: +49 5251 60 5315
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----