You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I think majority applications today that use certificate/CRL uses (or expects) version 2.
Plus,I checked the source code of x509.go, the function CreateCRL uses pkix.TBSCertificateList, and line 1650 initialize the version =1.
however according to the Go DOC, quote here "TBSCertificateList represents the ASN.1 structure of the same name. See RFC 5280, section 5.1.", but RFC5280 is profile for CRLv2, not v1. so I think if TBSCertificateList following RFC5280, then the created CRL should be v2.
following is the snip of a CRL generated by Go 1.5.2 on windows/amd64:
[SVR ~]$ openssl crl -in crl.crl -text -inform der|more
Certificate Revocation List (CRL): Version 1 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=EXAMPLEROOTCA
Last Update: Nov 10 23:00:00 2009 GMT
Next Update: Nov 10 23:00:00 2019 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:9B:C9:78:89:2F:90:86:71:98:77:87:19:98:CC:E8:09:A9:48:95:12
Revoked Certificates:
Serial Number: 01
Revocation Date: Nov 10 23:00:00 2010 GMT
Serial Number: 02
Revocation Date: Nov 10 23:00:00 2010 GMT
....
The text was updated successfully, but these errors were encountered:
mdempsky
changed the title
CRL generated by crypto/x509/Certificate.CreateCRL is still version 1
crypto/x509: CRL generated by Certificate.CreateCRL is still version 1
Jan 13, 2016
What's happening is that v2 is being specified, but it's also set as the default value of that ASN.1 element. Therefore it's not getting written because it's the default and the element is optional.
I think majority applications today that use certificate/CRL uses (or expects) version 2.
Plus,I checked the source code of x509.go, the function CreateCRL uses pkix.TBSCertificateList, and line 1650 initialize the version =1.
however according to the Go DOC, quote here "TBSCertificateList represents the ASN.1 structure of the same name. See RFC 5280, section 5.1.", but RFC5280 is profile for CRLv2, not v1. so I think if TBSCertificateList following RFC5280, then the created CRL should be v2.
following is the snip of a CRL generated by Go 1.5.2 on windows/amd64:
[SVR ~]$ openssl crl -in crl.crl -text -inform der|more
Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=EXAMPLEROOTCA
Last Update: Nov 10 23:00:00 2009 GMT
Next Update: Nov 10 23:00:00 2019 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:9B:C9:78:89:2F:90:86:71:98:77:87:19:98:CC:E8:09:A9:48:95:12
Revoked Certificates:
Serial Number: 01
Revocation Date: Nov 10 23:00:00 2010 GMT
Serial Number: 02
Revocation Date: Nov 10 23:00:00 2010 GMT
....
The text was updated successfully, but these errors were encountered: