Skip Menu |

This queue is for tickets about the Crypt-OpenSSL-CA CPAN distribution.

Report information
The Basics
Id: 111086
Status: new
Priority: 0/
Queue: Crypt-OpenSSL-CA

Owner: Nobody in particular
Requestors: tlhackque [...]

Bug Information
Severity: Important
Broken in: 0.24
Fixed in: (no value)

Subject: issuerAltName, issuingDistributionPoint, certificateIssuer can't be added to a CRL
Download (untitled) / with headers
text/plain 1.4k
issuerAltName is valid (in some cases mandatory) in a CRL per RFC3280 ss 5.3.2: "Issuer Alternative Name" The issuer alternative names extension allows additional identities to be associated with the issuer of the CRL. Defined options include an rfc822 name (electronic mail address), a DNS name, an IP address, and a URI. Multiple instances of a name and multiple name forms may be included. Whenever such identities are used, the issuer alternative name extension MUST be used; however, a DNS name MAY be represented in the issuer field using the domainComponent attribute as described in section The issuerAltName extension SHOULD NOT be marked critical. (Note the MUST) Although it would be ideal to be able to extract the issuerAltName from the signing certificate (previous bug report), it should be possible to add it to the CRL in any case. issuingDistributionPoint (5.2.5) "critical", but optional. Crypt::OpenSSL::CA does not support these extensions. Also, certificateIssuer (5.3.4) is an optional entry extension, which you document as "unimplemented". Why? Support should be added. Comments in the code indicate that the permitted CRL extensions are hard-coded due to an OpenSSL limitation c.a. 0.9.8c - which is now ancient history. If these limitations have been removed, generalizing the CRL set_extension method to match the certificate's set_extension method would be a good thing, as other, private CRL extensions are permitted. Thanks.

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

Please report any issues with to