Re: Use of new option " -crl_check " in openssl 0.9.7?

Tue, 18 Mar 2003 14:21:21 -0800

**Hello,

Thanks for this piece of information ... I am trying to do a similar thing using "openssl verify", but failing.

This is what I tried:
- Generate client cert from iPlanet CA.
- Retrieve CA root cert from the CA.
- Verify the client cert: "openssl verify -CAfile ca_cert/vega_cacert.pem cli_cert_vega.pem". This returns OK.
- Revoke the client cert.
- Retrieve the CRL.
- Convert the CRL into PEM. "openssl crl -in MasterCRL.crl -inform DER -outform PEM -out ca_cert/vega_crl.pem". This works OK.
- Cat the PEM encoded CRL into the CA cert. "cat vega_cacert.pem vega_crl.pem > vega_cacert2.pem". This works OK.
- Now try verify with -check_crl. This unfortunately fails. 

        openssl verify -crl_check -CAfile ca_cert/vega_cacert2.pem cli_cert_vega.pem
        cli_cert_vega.pem: /C=US/UID=naomaru/CN=Naomaru Itoi/[EMAIL PROTECTED]
        error 3 at 0 depth lookup:unable to get certificate CRL

I concatanated CRL to the CA root cert, but is it the right thing to do?
Any advice on what I am doing wrong?

Thank you.

On Mon, Mar 17, 2003, Krause, Helga wrote:

Hello,
does anybody know how to use the options "crl_check" and "crl_check_all"
with the command
"openssl smime" correctly?

Erm yes: I wrote that bit :-)

You have to add a CRL to either the file mentioned with the -CAfile option or
the directory for -CApath (don't forget c_rehash).

Is it only used within a verification process? 

Yes it is only used when a certificate is verified. This effectively means
S/MIME signature verification only.

Which certificates is it taking for a comparison in a given crl? 

The signers certificate(s) or all certificates in a chain if crl_check_all is
present.

Access to a crl saved in a file resulted in an error: "Parameter -crl_check:
CRL wird nicht gefunden".


Well that isn't a standard OpenSSL error. Are you using the standard 'smime'
command or something else?

My knowledge of other languages is somewhat limited but does that translate as
"CRL was not found"? If so then the current CRL probably isn't in the relevant
place.

Steve.
--
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to