View Issue Details

IDProjectCategoryView StatusLast Update
0001438Main CAcert Websitecertificate issuingpublic2018-05-01 12:42
ReporterwytzeAssigned ToGuKKDevel 
Status needs workResolutionopen 
PlatformDefaultOSanyOS Versionany
Product Version2017 Q4 
Target Version2017 Q4Fixed in Version 
Summary0001438: CRLs published by CAcert do not contain the field "CRL number"
DescriptionEBS EDI-Support <> reported on April 16, 2018:

the CRL which you are publishing at URL "" is missing the field "CRL number".
Therefore some applications might not validate the CRL correctly. Please add this field to the CRL. Thank you.
Steps To Reproduce$ wget
$ openssl crl -in revoke.crl -inform der -noout -text -crlnumber | head

Something like this will appear:
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: /O=Root CA/OU= Cert Signing Authority/
        Last Update: Apr 17 14:28:54 2018 GMT
        Next Update: Apr 24 14:28:54 2018 GMT
Revoked Certificates:
    Serial Number: 11
        Revocation Date: Apr 1 14:25:08 2003 GMT

The crlNumber=<NONE> shows the problem.
Additional InformationAccording to RFC 5280 (May 2008), section 5.2:
   Conforming CRL issuers are REQUIRED to include the authority key
   identifier (Section 5.2.1) and the CRL number (Section 5.2.3)
   extensions in all CRLs issued.

The same requirement was already present in the predecessor of this RFC, namely RFC 3280 from April 2002, so it is somewhat surprising that this was never implemented in the CAcert signer.

This can be fixed by adding the crlnumber field to the openssl profile used on the CAcert signer for generating CRLs. The openssl software used for this is capable of maintaining a serial number per CRL in a separate text file, see the documentation for 'openssl ca'.
Reviewed by
Test InstructionsSee Steps To Reproduce



2018-04-17 15:36

developer   ~0005584

This can be tested with the signer installed on

Issue History

Date Modified Username Field Change
2018-04-17 15:24 wytze New Issue
2018-04-17 15:24 wytze Tag Attached: certificates
2018-04-17 15:33 wytze Status new => confirmed
2018-04-17 15:36 wytze Status confirmed => needs work
2018-04-17 15:36 wytze Note Added: 0005584
2018-05-01 12:42 dastrath Assigned To => GuKKDevel