Open-source Languages & Tools for z/OS

 View Only

 Cannot create or update a crl with OpenSSL 1.1.1

Larry Uher's profile image
Larry Uher posted 09-22-2022 15:49
Generating a crl works fine with openssl 1.1.0c but not with openssl 1.1.1k
Following command gives response "Using configuration from openssl.cfg" but does not create an out file.
openssl ca -gencrl -keyfile zos.ca.key -cert zos.ca.pem -out zos.ca.crl.pem -config openssl.cfg
echo $? gives a code of 1.
Any ideas on how to debug this?   Adding -verbose does not give anything more.
openssl ca -revoke  does not work either.
openssl crl -in   will correctly display a crl created by openssl 1.1.0c
Alexander Klochkov's profile image
ROCKETEER Alexander Klochkov posted 09-23-2022 10:42
Hi Larry Uher,

I couldn't reproduce it, my crl was created successfully.
make sure you have the correct tagged input data, check  "ls -laT zos.ca.*", make sure cat of this data is readable, the same with your config.
Can you also share with us your openssl.cfg, "env | sort" command output, also output of "openssl version" command for both old and new openssls

Thanks,
Alexander
Larry Uher's profile image
Larry Uher posted 09-23-2022 13:23
I have managed to create a test config file that works now.   I will investigate further why the other config files I tried did not work.