From: <yqu...@li...> - 2006-01-31 12:55:36
|
> Den tirsdag 31.jan kl. 13:12 skrev yqu...@li...: > >> Hi, >>> >>> I occasionally get this from a cronscript that uses curl to get the >>> CRL from >>> ejbca and after that it uses openssl crl to convert it from DER to >>> PEM. >>> I am unsure where i should start looking for the problem. >>> Are EJBCA to blaim? >>> Are curl to blaim? >>> Are openssl to blaim? >>> >> EJBCA use bouncyCastle Library for generate CRL in DER format. This >> library work very well for this. >> >> Why you convert in PEM ? The better format for CRL is DER. This >> isn't a >> good idea to convert CRL in PEM format. > > openvpn appears to only support a CRL in the PEM format > > http://openvpn.net/man.html > > "--crl-verify crl > Check peer certificate against the file crl in PEM format." > > So i am kind of forced to convert it. By why does it matter that the > CRL is in DER or PEM > surely one format can be as good as another. To treat a CRL in PEM it's necessary to transform him into DER format, thus no interet to transform him into PEM to have to then re-transform hi= m into DER. Furthermore, the PEM is bigger than the DER in volume. Cheers Yannick |