[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] RE: Request: --crl-verify in DER format

  • Subject: Re: [Openvpn-users] RE: Request: --crl-verify in DER format
  • From: Jon Bendtsen <jon.bendtsen@xxxxxxxxxx>
  • Date: Thu, 2 Feb 2006 14:00:30 +0100

Well, lets request that in openvpn then.


Den torsdag 2.feb kl. 13:47 skrev yquenechdu@xxxxxxxxxxxx:

Okay, so OpenVPN should drop support for PEM and only use DER?

t is necessary to be able to ensure interoperability, therefore the use of
PEM remains still necessary. On the other hand, the format by default
should be DER instead of the PEM. That implies that OpenVPN should
integrate in the part -- crl-verify the command -- inform DER by default
and to support it.

Yannick quenec'hdu


Den torsdag 2.feb kl. 12:44 skrev yquenechdu@xxxxxxxxxxxx:

Den onsdag 1.feb kl. 16:00 skrev yquenechdu@xxxxxxxxxxxx:


I would add following Jon, that to validate a CRL, the file must be
transformed into DER to analyze the ASN.1 contained in this one.
Format PEM thus becomes useless. All CA of the market provide only
this is the format by default for LCR, it has yet only OpenSSL
there to
use PEM in the LCR.

Why _MUST_ it be in DER format? Do you have any more documentation? What is this ASN.1 that you keep talking about?

RFC3280 Internet X.509 Public Key Infrastructure Certificate and
Certificate Revocation List (CRL) Profile :

- The CRL file MUST contain a single DER encoded CRL (indicated by the
.crl file extension) as specified in [RFC 2585]

- The X.509 v2 CRL syntax is as follows. For signature calculation,
the data that is to be signed is ASN.1 DER encoded. ASN.1 DER
encoding is a tag, length, value encoding system for each element.


Openvpn-users mailing list