Reputation: 5482
How to give CRL to openssl s_client?
I'm testing certificate revocation with a test server. I'm trying to use openssl s_client with crl_check parameter for testing the revocation. I have appended ca certs to a chain file I give in CAfile parameter.
With the command:
openssl s_client -connect <host>:<port> -crl_check -cert cert.pem \
-key key.pem -CAfile ca_chain.pem -state -verify_return_error debug
I get a response:
Verify return code: 3 (unable to get certificate CRL)
Which is natural because I don't give the CRL.
How should I give the CRL (where the server cert is revoked) to the openssl s_client to get certificate revocation checked in negotiation?
Upvotes: 5
Views: 3595
Answers (1)
Reputation: 123561
With 1.02 you should be able to do this. From the changelog:
*) New options -CRL and -CRLform for s_client and s_server for CRLs.
[Steve Henson]
In versions before that the behavior is undocumented: You have to include the CRL together with the certificate in the same file if you are using a single file with -CAfile. If you are using a directory with -CApath instead it gets even harder.
Upvotes: 4
Related Questions
- How to ignore certificate verification while using openssl s_client connect?
- OpenSSL s_client -connect incompatibility issue
- Handshake error with the openssl command s_client
- openssl s_client no cipher match
- How to specify intermediate certificates for s_client and s_server?
- OpenSSL support for Client Certificate URLs
- openSSL sign https_client certificate with CA
- Howto create a certificate using openssl including a CRL distribution point?
- Unable to get CRL from valid certificate
- How to sign a client's CSR with openssl?