Re: verify and CRLs

Wed, 16 Jan 2008 09:29:04 -0800 

"If i all understood" ;-)

I have 2 certificates :
- One with "keyusage" as AC Certificate "CertAC.cer"
- One with "keyusage" as crl signer Certificate "Cert_crlsigner.cer"

But they have the same hash so the name with ".0" extension is the same !!
So when the last file copy is "Cert_crlsigner.cer" i have "unable to get issuer certificate" error and when the last file copy is "CertAC.cer" i have "key usage does not include CRL signing" error 

Is it the reason of my problems ?
So how to have different name with the same DN using for the hash ?

Thanks

Dr Franck ROUSSIA

rfx a écrit :

Yes, i read it
For first point, i think that there is not ths same subject and issuer, like final autosign certificat of AC ?
For second point, after translating, it's more difficult for me to understand "keyusage" not to be include ;-) 

Thanks

Dr Franck ROUSSIA

Dr. Stephen Henson a écrit :

On Wed, Jan 16, 2008, rfx wrote:
I make new path using hash name/ ".0" extension for certificat/".r0" extension for CRL
The function: 'verify -CApath @CRLCA\ -issuer_checks -crl_check "SignCertPEM.cer" 

The result is :
SignCertPEM.cer: /C=FR/O=GIP-CPS/OU=M\xE9decin/CN=0081013443/SN=ROUSSIA/GN=FRANCK 
error 29 at 0 depth lookup:subject issuer mismatch
/C=FR/O=GIP-CPS/OU=M\xE9decin/CN=0081013443/SN=ROUSSIA/GN=FRANCK
error 29 at 0 depth lookup:subject issuer mismatch
/C=FR/O=GIP-CPS/OU=M\xE9decin/CN=0081013443/SN=ROUSSIA/GN=FRANCK
error 29 at 0 depth lookup:subject issuer mismatch
/C=FR/O=GIP-CPS/OU=GIP-CPS PROFESSIONNEL/CN=GIP-CPS CLASSE-1
error 29 at 0 depth lookup:subject issuer mismatch
/C=FR/O=GIP-CPS/OU=M\xE9decin/CN=0081013443/SN=ROUSSIA/GN=FRANCK
error 35 at 0 depth lookup:key usage does not include CRL signing

Two questions :

1) Why the "subject issuer mismatch" error ? also when the result is OK
2) For this example what mean the error "key usage does not include CRL signing" ? 



Read the manual page entry for the diagnostic option -issuer_checks

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]





______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]





______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to