When you are validating an X509 (SSL) certificate, there are a few types of online repositories where the issuer may publish that the certificate has been revoked.
An extension in the certificate, CRLDistributionPoint, can point you to an LDAP directory — but whoever issues the cert has to embed it in the client certificates so you even know to check.
I couldn’t get openssl to accept the value I was trying to pass in, and I found a lot of questions about this online and most of them referred to some difference between openssl .9.9 and earlier. None of them seemed to have a good resolution.
The problem with the configuration is the comma in the LDAP uri screws up the parser if you provide it directly. Documentation tells you to provide things with embedded commas in the “long” form where there is an extra level of indirection, multivalue items are stored in their own little section.
@ symbol before section name or not? Is the LHS of the section supposed to be the “crlDistributionPoints” or something else? Is the RHS supposed to contain the URI:ldap://… or not? Shouldn’t fullName appear somewhere?
Well here’s what worked for me w/ openssl .9.8
crlDistributionPoints=@cdp_section
[cdp_section]
URI=ldap://foo.com/cn=ALTCDP,c=US?certificateRevocationList?base?objectClass=cRLDistributionPoint
