On Thu, Oct 20, 2016 at 1:09 AM, Bjoern Voigt <bjoernv@arcor.de> wrote:
Bjoern Voigt wrote:
# ln -sv /etc/pki/trust/anchors/MY-CA.crl /var/lib/ca-certificates/openssl/49742892.r0 '/var/lib/ca-certificates/openssl/49742892.r0' -> '/etc/pki/trust/anchors/MY-CA.crl' # update-ca-certificates I found, that "update-ca-certificates" remove the manually created link. Not good.
Oh, joy of relying on undocumented tools using undocumented utilities ... TL;DR - it is not possible :) openSUSE is using p11-kit to manage certificates and p11-kit currently simply does not support CRL (I would love to be proven wrong). There are ideas about providing common revocation cache, but this link has "no source available" as of now. I tried to chain root certificate with CRL but it does not work either - p11-glue trust module does not blindly copy certificate file, but rather extracts certificate and creates new file. OTOH what is the purpose of storing CRL for openssl? If you intend to use this CA for web sites, browsers usually request CRL themselves? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org