Hello,
I also tried your way of crl-checking and failed too although the
issuer names of the cert and the crl were the same.
But the other way with the option -CApath succeeded.
Here are the steps I was performing:
- RootCert.pem and RootCrl.pem must be in the same directory (i.e.:
../certs)
- execute the script c_rehash (in directory ../openssl/bin or ../tools)
to the directory ../certs:
./c_rehash ../certs
Then you get symbolic links in the directory ../certs between your
RootCert.pem and RootCrl.pem (hash of issuer dn)
- verifying:
openssl verify -CApath ../certs/ -crl_check UserCert.pem
The answer should be:
UserCert.pem: OK
I hope that helps.
Helga
And thank you for your help, Stephen Henson.
Sorry for the error in German...
-----Ursprüngliche Nachricht-----
Von: Naomaru Itoi [mailto:[EMAIL PROTECTED]
Gesendet: Dienstag, 18. März 2003 23:21
An: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Betreff: Re: Use of new option " -crl_check " in openssl 0.9.7?
**Hello,
Thanks for this piece of information ... I am trying to do a similar thing
using "openssl verify", but failing.
This is what I tried:
- Generate client cert from iPlanet CA.
- Retrieve CA root cert from the CA.
- Verify the client cert: "openssl verify -CAfile ca_cert/vega_cacert.pem
cli_cert_vega.pem". This returns OK.
- Revoke the client cert.
- Retrieve the CRL.
- Convert the CRL into PEM. "openssl crl -in MasterCRL.crl -inform DER
-outform PEM -out ca_cert/vega_crl.pem". This works OK.
- Cat the PEM encoded CRL into the CA cert. "cat vega_cacert.pem
vega_crl.pem > vega_cacert2.pem". This works OK.
- Now try verify with -check_crl. This unfortunately fails.
openssl verify -crl_check -CAfile ca_cert/vega_cacert2.pem
cli_cert_vega.pem
cli_cert_vega.pem: /C=US/UID=naomaru/CN=Naomaru
Itoi/[EMAIL PROTECTED]
error 3 at 0 depth lookup:unable to get certificate CRL
I concatanated CRL to the CA root cert, but is it the right thing to do?
Any advice on what I am doing wrong?
Thank you.
On Mon, Mar 17, 2003, Krause, Helga wrote:
> Hello,
> does anybody know how to use the options "crl_check" and "crl_check_all"
> with the command
> "openssl smime" correctly?
Erm yes: I wrote that bit :-)
You have to add a CRL to either the file mentioned with the -CAfile option
or
the directory for -CApath (don't forget c_rehash).
> Is it only used within a verification process?
Yes it is only used when a certificate is verified. This effectively means
S/MIME signature verification only.
> Which certificates is it taking for a comparison in a given crl?
The signers certificate(s) or all certificates in a chain if crl_check_all
is
present.
> Access to a crl saved in a file resulted in an error: "Parameter
-crl_check:
> CRL wird nicht gefunden".
Well that isn't a standard OpenSSL error. Are you using the standard 'smime'
command or something else?
My knowledge of other languages is somewhat limited but does that translate
as
"CRL was not found"? If so then the current CRL probably isn't in the
relevant
place.
Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
