[OpenSIPS-Users] Issue with stir and shaken crl_list

Răzvan Crainea razvan at opensips.org
Mon Jul 24 14:05:34 UTC 2023

Hi, Mickael!

I don't have much experience with this, but a first search would point 
to this [1] answer, which seems reasonable to me: you need to provide 
the CRL of the entire path, not only of your intermediate cert. Did you 
try that?

[1] https://stackoverflow.com/a/47398918

Best regards,

Răzvan Crainea
OpenSIPS Core Developer

On 7/19/23 15:47, Mickael Hubert wrote:
> Hi all,
> I'm working on stir and shaken, and I want to include all revoked 
> certificates.
> I my list in DER format, I use this command to transform it to PEM format:
> openssl crl -in man_crl.der -inform DER -outform PEM -out crl.pem
> there is no erreur, I can read pem format (crl.pem):
> -----BEGIN X509 CRL-----
> ....
> -----END X509 CRL-----
> I configured opensips with this:
> modparam("stir_shaken", "crl_list", "/etc/opensips/stir-shaken-ca/crl.pem")
> but I have an error:
> ul 19 12:39:07 [12] INFO:stir_shaken:verify_callback: certificate 
> validation failed: unable to get certificate CRL
> Jul 19 12:39:07 [12] INFO:stir_shaken:w_stir_verify: Invalid certificate
> Can you tell me, what is exactly the correct format please ?
> Thanks in advance !
> ++
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

More information about the Users mailing list