Hi,
I am using Secure Transport APIs and ran into a problem with Certificate with CRL distribution point extension. I got CSSMERR_APPLETP_CRL_NOT_FOUND status code on the server certificate in the StatusChain after calling SecTrustEvaluate(...);. If I import CRL manually into Keychain Access using certtool I command, then I won't get this error.
I am using a self-signed certificate generated using openssl 0.9.8. My Keychain Access Certificates options are: OCSP as Best Attempt, CRL as Best Attempt, Priority as Require Both.
I tried passing policy CSSMOID_APPLE_TP_REVOCATION_CRL with CRL option CSSM_TP_ACTION_FETCH_CRL_FROM_NET | CSSM_TP_ACTION_REQUIRE_CRL_IF_PRESENT, but that results in kSecTrustResultOtherError after SecTrustEvaluate and I got the same status code CSSMERR_APPLETP_CRL_NOT_FOUND.
I am using OS X 10.5 SDK and my Mac is 10.6. What should I do to enable CRL fetch from net without having to manually import CRL to Keychain Access?
Thanks!
I am using Secure Transport APIs and ran into a problem with Certificate with CRL distribution point extension. I got CSSMERR_APPLETP_CRL_NOT_FOUND status code on the server certificate in the StatusChain after calling SecTrustEvaluate(...);. If I import CRL manually into Keychain Access using certtool I command, then I won't get this error.
I am using a self-signed certificate generated using openssl 0.9.8. My Keychain Access Certificates options are: OCSP as Best Attempt, CRL as Best Attempt, Priority as Require Both.
I tried passing policy CSSMOID_APPLE_TP_REVOCATION_CRL with CRL option CSSM_TP_ACTION_FETCH_CRL_FROM_NET | CSSM_TP_ACTION_REQUIRE_CRL_IF_PRESENT, but that results in kSecTrustResultOtherError after SecTrustEvaluate and I got the same status code CSSMERR_APPLETP_CRL_NOT_FOUND.
I am using OS X 10.5 SDK and my Mac is 10.6. What should I do to enable CRL fetch from net without having to manually import CRL to Keychain Access?
Thanks!