View Issue Details

IDProjectCategoryView StatusLast Update
0001438Main CAcert Websitecertificate issuingpublic2018-05-01 12:42
ReporterwytzeAssigned ToGuKKDevel 
PrioritynormalSeverityminorReproducibilityalways
Status needs workResolutionopen 
PlatformDefaultOSanyOS Versionany
Product Version2017 Q4 
Target Version2017 Q4Fixed in Version 
Summary0001438: CRLs published by CAcert do not contain the field "CRL number"
DescriptionEBS EDI-Support <EDI-Support@eon.com> reported on April 16, 2018:

the CRL which you are publishing at URL "http://crl.cacert.org/revoke.crl" is missing the field "CRL number".
Therefore some applications might not validate the CRL correctly. Please add this field to the CRL. Thank you.
Steps To Reproduce$ wget http://crl.cacert.org/revoke.crl
$ openssl crl -in revoke.crl -inform der -noout -text -crlnumber | head

Something like this will appear:
crlNumber=<NONE>
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
        Last Update: Apr 17 14:28:54 2018 GMT
        Next Update: Apr 24 14:28:54 2018 GMT
Revoked Certificates:
    Serial Number: 11
        Revocation Date: Apr 1 14:25:08 2003 GMT

The crlNumber=<NONE> shows the problem.
Additional InformationAccording to RFC 5280 (May 2008), section 5.2:
   Conforming CRL issuers are REQUIRED to include the authority key
   identifier (Section 5.2.1) and the CRL number (Section 5.2.3)
   extensions in all CRLs issued.

The same requirement was already present in the predecessor of this RFC, namely RFC 3280 from April 2002, so it is somewhat surprising that this was never implemented in the CAcert signer.

This can be fixed by adding the crlnumber field to the openssl profile used on the CAcert signer for generating CRLs. The openssl software used for this is capable of maintaining a serial number per CRL in a separate text file, see the documentation for 'openssl ca'.
Tagscertificates
Reviewed by
Test InstructionsSee Steps To Reproduce

Activities

wytze

2018-04-17 15:36

developer   ~0005584

This can be tested with the signer installed on test.cacert.org.

Issue History

Date Modified Username Field Change
2018-04-17 15:24 wytze New Issue
2018-04-17 15:24 wytze Tag Attached: certificates
2018-04-17 15:33 wytze Status new => confirmed
2018-04-17 15:36 wytze Status confirmed => needs work
2018-04-17 15:36 wytze Note Added: 0005584
2018-05-01 12:42 dastrath Assigned To => GuKKDevel