1

We have our own CA for internal use that secures about ten servers/services. We don't actually have or need a Certificate Revocation List.

But, as we are attempting to setup Dovecot to verify the identity of our Postfix server, we have discovered that Dovecot will not accept our CA certificate unless it has a CRL attached to the same file.

If we have a public CA cert, authority.crt, can we add some dummy CRL data on to that authority certificate file to make Dovecot happy?

UPDATE:

I think I have this almost figured out:

openssl ca -config ca/authority.cnf \
-gencrl -crldays 365 -crl_hold holdInstructionCallIssuer

But I get:

unable to load number from ssl/crlnumber
error while loading CRL number
140581396727104:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:../crypto/asn1/f_int.c:140:

The crlnumber file didn't exist. I tried to touch it into existence, which didn't work, and then I added the number 1 to the top, which also didn't work. I probably need to set somthing up in the authority.cnf configuration file for the crlnumber file.

Nick
  • 4,726

1 Answers1

0

The command to make a CRL is:

openssl ca -config ca/authority.cnf \
-gencrl -crldays 365 -crl_hold holdInstructionCallIssuer

In authority.cnf, you need to have:

[ CA_default ]
crlnumber         = $dir/ca/crlnumber
crl               = $dir/ca/crl/ca.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 365

You also need to create the crlnumber file in advance and populate it with a number. The number must be an even number of digits. ie 1 is not valid, but 01 is valid.

You'll get a CRL that can be pasted into the authority's crt file after the certificate. And Dovecot accepts that.

Nick
  • 4,726