On Tue, Mar 18, 2003, Naomaru Itoi wrote: > **Hello, > > Thanks for this piece of information ... I am trying to do a similar thing > using "openssl verify", but failing. > > This is what I tried: > - Generate client cert from iPlanet CA. > - Retrieve CA root cert from the CA. > - Verify the client cert: "openssl verify -CAfile ca_cert/vega_cacert.pem > cli_cert_vega.pem". This returns OK. > - Revoke the client cert. > - Retrieve the CRL. > - Convert the CRL into PEM. "openssl crl -in MasterCRL.crl -inform DER > -outform PEM -out ca_cert/vega_crl.pem". This works OK. > - Cat the PEM encoded CRL into the CA cert. "cat vega_cacert.pem > vega_crl.pem > vega_cacert2.pem". This works OK. > - Now try verify with -check_crl. This unfortunately fails. > > openssl verify -crl_check -CAfile ca_cert/vega_cacert2.pem > cli_cert_vega.pem > cli_cert_vega.pem: /C=US/UID=naomaru/CN=Naomaru > Itoi/[EMAIL PROTECTED] > error 3 at 0 depth lookup:unable to get certificate CRL > > I concatanated CRL to the CA root cert, but is it the right thing to do? > Any advice on what I am doing wrong? >
Try this: openssl x509 -in cli_cert_vega.pem -issuer -noout openssl crl -in ca_cert/vega_cacert2.pem -issuer -noout they should produce the same string. If not then the CRL isn't for that certificate. If they do match then please send me the certs and CRL and I'll investigate further. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
