It turns out that newer Cisco IOS releases (don't ask which -- I don't know) expect to see an "issuing distribution point" in the Certificate Revocation List (CRL) the routers load to check for expired certificates. I didn't know, but there is a such a thing as an Issuing Distribution Point (IDP) in OpenSSL, but it seems that got into the code base starting at 0.9.9-dev, which is something most Linux distributions don't have. I downloaded the OpenSSL source code for version 1.0.0 Beta2, compiled it and installed that into a temporary directory. I then modified the OpenSSL configuration to include the following:
[ crl_ext ] issuingDistributionPoint=critical, @idpsec [ idpsec ] fullname=URI:http://example.com/pki/crl.cgi indirectCRL=TRUE onlysomereasons=keyCompromise, CACompromise
I then generated a new CRL using the 1.0 version of OpenSSL with:
/var/tmp/bin/openssl ca -gencrl -config my.cnf -crlexts crl_ext -out crl.pem
specifying crl_ext as the name of the extensions section to load when creating the CRL. The CRL was correctly generated, and I looked at it with an OpenSSL 0.9.8b version. The result is a bit ugly:
Certificate Revocation List (CRL): Version 2 (0x1) ... CRL extensions: 220.127.116.11: critical 0-.$.". http://example.com/pki/crl.cgi...`...
whereas the 1.0.0 version of OpenSSL shows me the details nicely:
Certificate Revocation List (CRL): Version 2 (0x1) ... CRL extensions: X509v3 Issuing Distrubution Point: critical Full Name: URI:http://example.com/pki/crl.cgi Indirect CRL Only Some Reasons: Key Compromise, CA Compromise
Next step will be to update OpenSSL on the systems we use in our PKI.