It turns out that newer Cisco IOS releases (don’t ask which – I don’t know) expect to see an “issuing distribution point” in the Certificate Revocation List (CRL) the routers load to check for expired certificates. I didn’t know, but there is a such a thing as an Issuing Distribution Point (IDP) in OpenSSL, but it seems that got into the code base starting at 0.9.9-dev, which is something most Linux distributions don’t have. I downloaded the OpenSSL source code for version 1.0.0 Beta2, compiled it and installed that into a temporary directory. I then modified the OpenSSL configuration to include the following:

[ crl_ext ]
issuingDistributionPoint=critical, @idpsec

[ idpsec ]
fullname=URI:http://example.com/pki/crl.cgi
indirectCRL=TRUE
onlysomereasons=keyCompromise, CACompromise

I then generated a new CRL using the 1.0 version of OpenSSL with:

/var/tmp/bin/openssl ca -gencrl -config my.cnf -crlexts crl_ext -out crl.pem

specifying crl_ext as the name of the extensions section to load when creating the CRL. The CRL was correctly generated, and I looked at it with an OpenSSL 0.9.8b version. The result is a bit ugly:

Certificate Revocation List (CRL):
   Version 2 (0x1)
   ...
   CRL extensions:
       2.5.29.28: critical
           0-.$.". http://example.com/pki/crl.cgi...`...

whereas the 1.0.0 version of OpenSSL shows me the details nicely:

Certificate Revocation List (CRL):
   Version 2 (0x1)
   ...
   CRL extensions:
       X509v3 Issuing Distrubution Point: critical
           Full Name:
             URI:http://example.com/pki/crl.cgi
           Indirect CRL
           Only Some Reasons:
             Key Compromise, CA Compromise

Next step will be to update OpenSSL on the systems we use in our PKI.