Subject: CAcert Code Development list.
List archive
- From: "Greg Stark" <gstark AT electrorent.com>
- To: "'CAcert Code Development list.'" <cacert-devel AT druantia.cacert.org>
- Subject: Re: [CAcert-Devel] CRL Verification
- Date: Wed, 11 Jul 2007 08:56:51 -0700
- List-archive: <http://lists.cacert.org/cgi-bin/mailman/private/cacert-devel>
- List-id: "CAcert Code Development list." <cacert-devel.lists.cacert.org>
Philipp,
Would this be what your looking for?
Greg
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++
http://openvpn.net/archive/openvpn-devel/2005-12/msg00000.html
* Subject: [Openvpn-devel] Patch for a new tls-export-cert option
* From: Mathieu GIANNECCHINI
<mat.giann@xxxxxxx>
* Date: Tue, 06 Dec 2005 16:08:34 +0100
Hello,
Here is a tiny patch which add to OpenVPN a new option "tls-export-cert" :
--tls-export-cert [directory] : Get peer cert in PEM format and store it in
an openvpn temporary file in [directory]. Peer cert is stored *before*
tls-verify script execution and deleted *after*.
The peer cert temporary file name is send to tls-verify script by an
environement variable named "peer_cert".
This new option may be usefull to add some check into tls-verify script.
For example, if you have a PKI with more than one CA, you can handle a full
CRL check with -crl_check_all openssl option. Here is an example of
tls-verify script :
#!/bin/sh
# All CRL are in /etc/openvpn/capath directory
RESULT=`openssl verify -CApath /etc/openvpn/capath -crl_check_all -verbose
$peer_cert 2>&1`
# Is CRL check OK ?
echo $RESULT | grep -qE "$peer_cert: OK"
if [ $? -eq 0 ]
then
echo "openssl verify successed : $RESULT"
exit 0
fi
# CRL verification failed
exit 1
Regards,
Mat
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++
> -----Original Message-----
> From:
> cacert-devel-bounces AT druantia.cacert.org
>
> [mailto:cacert-devel-bounces AT druantia.cacert.org]
> On Behalf
> Of Philipp Gühring
> Sent: Wednesday, July 11, 2007 1:02 AM
> To:
> cacert-devel AT cacert.org
> Subject: [CAcert-Devel] CRL Verification
>
> Hi,
>
> I need a tool to verify the validity of a CRL:
> Is it currently valid?
> Is it issued by the CA (specified with the CA certificate) Is
> it´s integrity ok?
>
> The tool should return Yes/No, and optionally alert through
> email (to a configurable email address) in case of any problems.
>
> The usage of OpenSSL is preferred. (You could make a
> Shellscript that does it)
>
> Best regards,
> Philipp Gühring
>
> _______________________________________________
> Have you subscribed to our RSS News Feed yet?
>
> CAcert-Devel mailing list
> CAcert-Devel AT lists.cacert.org
> http://lists.cacert.org/cgi-bin/mailman/listinfo/cacert-devel
>
>
- [CAcert-Devel] CRL Verification, Philipp Gühring, 07/11/2007
- Re: [CAcert-Devel] CRL Verification, Greg Stark, 07/11/2007
- Re: [CAcert-Devel] CRL Verification, Philipp Gühring, 07/11/2007
- Re: [CAcert-Devel] CRL Verification, Greg Stark, 07/11/2007
Archive powered by MHonArc 2.6.16.