On Wed, Dec 29, 2004, [EMAIL PROTECTED] wrote: > Hello! > I have a problem to verify certificate against crl file. > The situation is: > 1)CA which I use have 2 certificates, one is old certificate but still not > expired and second is new certificate (becuase CA renew own certificate) > 2)therefore, there are 2 CRL list (one for each CAcertificate) > > I downloaded all files. I have in one directory file: > CAcert1.pem (old cert CA) > CAcert2.pem (new cert CA) > CAcrl1.pem (crl list to CAcert1.pem) > CAcrl2.pem (crl list to CAcert2.pem) > I use c_rehash perl script to make symbolic link to all that files. > Because that are certificates of the same CA, all hash values are the same. > So I have symbolic link, for example: > f1467c63.0 to CAcert1.pem (old cert CA) > f1467c63.1 to CAcert2.pem (new cert CA) > f1467c63.r0 to CAcrl1.pem (crl list to CAcert1.pem) > f1467c63.r1 to CAcrl2.pem (crl list to CAcert2.pem > > And I have client certificate issued by CA and signed by CAcert2.pem. > I tried to verify client certificate using command: > openssl verify -crl_check -CApath path_to_directory_with_link clientcert.pem. > I get error:CRL signature failure , because openssl try to always use to > verify, link (in this case) f1467c63.r0 and should in this case use > f1467c63.r1. > > I have client certificate issued by CA and signed by CAcert1.pem too. > When I tried to verify this client certificate using command: > openssl verify -crl_check -CApath path_to_directory_with_link clientcert.pem > everythink is ok. > Anybody know what to do to verify all certificates? I have to possibility to > verify certificates signed by CAcert1.pem and Cacert2.pem. >
The current CRL lookup code isn't very clever and can get confused in certain cases. Its not obvious from your description which extensions are present in the certificates and CRLs to resolve this case. Does the client certificate have a CRL distribution point extension (CRLDP) do the CRLs and client certificates have an authority key ID (AKID)? Could you post the certificates from this case? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
