PKI Engine - CRLNumber + Reason

Vault : Version 1.1.3

  1. I have been issuing some CRL and did not see the CRLNumber in the certificate ? Is there any configuration steps to perform ?
  2. Is there any option to integrate the Reason in the revocation too ?

Thanks for your help.

My understanding is that Vault is now not compliant to the RFC regarding CRL ? Am i correct ?

Hi @BrunoP-dev,

Can you explain why you think it isn’t RFC compliant? As far as we know it is compliant.

Hi, as explain I did not see the CRLNumber in the CRL or i missed some configuration steps.

The RFC mentioned:

The CRL number is a non-critical CRL extension that conveys a
monotonically increasing sequence number for a given CRL scope and
CRL issuer. This extension allows users to easily determine when a
particular CRL supersedes another CRL. CRL numbers also support the
identification of complementary complete CRLs and delta CRLs. CRL
issuers conforming to this profile MUST include this extension in all
CRLs and MUST mark this extension as non-critical.

Do you know a way to integrate CRLNumber and/or the recovation reason ? thanks

That text refers to v3 CRLs, which support extensions. We do not use any extensions and generate v2 CRLs, which are not required to (and cannot) include extensions, including CRL number.

Hey mate, it’s all right. i just asked if there is a way to set it up the way to be compliant to PKI practices. no worries. Hopping someone in HC will fix it. Cheers.