On Wed, Apr 1, 2009 at 4:51 PM, Asaf Cohen <asafco_at_checkpoint.com> wrote:
[...]
> One more thing, it doesn’t make sense to me when I want to check if
> certificate is valid, to trust it’s property of distribution points,
>
> It’s like when you need to identify yourself saying: “call this number to
> ask if it’s me…”

I don't know the answer to your other question, but you should get the
CRL URL from the CA's certificate, not from the web server's (or
whatever) certificate.

e.g. if I run "openssl x509 -text </path/to/cacert.pem" on one of the
CA certs on a Linux box, I get:

[...]
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DirName:/CN=OCSP 1-4
            X509v3 CRL Distribution Points:
                URI:http://crl.verisign.com/RSASecureServer-p.crl
[...]

-- 
Michael Wood <esiotrot_at_gmail.com>