Hi, Am 29.03.2017 um 08:39 schrieb Christopher Odenbach: [...] > Where should I install my CRL that the default > Debian mechanisms work as expected? [...] AFAIK there is no specific place for CRL files in Debian but for your specific use case I would suggest to define the location of your CRL file in your certificate, upload the certificate revocation list to a remote location and let your hosts retrieve it via a cron-like mechanism on a regular basis. A tool like fetch-crl [1] might be useful for this task but I have never used it, so no guarantee here. Second option: Create a Debian package that includes your certificate and distribute it with your own apt-repository. A tool like reprepro can be useful. [2] See /usr/share/doc/ca-certificates/examples/ca-certificates-local/README for more information. The error message java.io.IOException: Invalid encoded CertificateValidity, starting sequence tag missing. appears to come from [3]. Maybe the file must be DER encoded but I believe the CRL file should be stored somewhere else though. Regards, Markus [1] https://tracker.debian.org/pkg/fetch-crl [2] https://tracker.debian.org/pkg/reprepro [3] http://hg.openjdk.java.net/jdk8/jdk8/jdk/file/jdk8-b132/src/share/classes/sun/security/x509/CertificateValidity.java
Attachment:
signature.asc
Description: OpenPGP digital signature