Hello. I have a problem with verification of certificates.
My command line is: openssl verify -verbose -issuer_checks -crl_check_all -CAfile tmp_cachain.pem daniel-marschall.crt The tmp_cachain.pem file is a conclusion of all root and intermediate certificates + their CRLs. (Mh... the trick with the CRL-appending was never written in the manual, so I was thinking the certificates are validated by downloading the CRL from the Internet) The result is: daniel-marschall.crt: /C=DE/ST=Baden-Wuerttemberg/L=Bammental/O=ViaThinkSoft/OU=Developers/CN=Daniel Marschall/emailaddress=i...@daniel-marschall.de error 29 at 0 depth lookup:subject issuer mismatch /C=DE/ST=Baden-Wuerttemberg/L=Bammental/O=ViaThinkSoft/OU=Developers/CN=Daniel Marschall/emailaddress=i...@daniel-marschall.de error 29 at 0 depth lookup:subject issuer mismatch /C=DE/ST=Baden-Wuerttemberg/L=Bammental/O=ViaThinkSoft/OU=Developers/CN=Daniel Marschall/emailaddress=i...@daniel-marschall.de error 29 at 0 depth lookup:subject issuer mismatch /C=DE/ST=Baden-Wuerttemberg/L=Bammental/O=ViaThinkSoft/OU=Intermediate Client Certificate Authority/CN=ViaThinkSoft Intermediate Client Certificate Authority/emailaddress=certmas...@viathinksoft.de error 29 at 0 depth lookup:subject issuer mismatch I noticed that I have the same problems as descripted here: http://www.mail-archive.com/openssl-users@openssl.org/msg30729.html . My commands for checking are: openssl x509 -in ca_root/certs/cacert.crt -issuer -noout openssl crl -in ca_root/crl/ca.pem -issuer -noout The result is: issuer= /C=DE/ST=Baden-Wuerttemberg/L=Bammental/O=ViaThinkSoft/OU=Root Certificate Signing Authority/CN=ViaThinkSoft Root Certificate Signing Authority/emailaddress=certmas...@viathinksoft.de issuer=/C=DE/ST=Baden-Wuerttemberg/L=Bammental/O=ViaThinkSoft/OU=Root Certificate Signing Authority/CN=ViaThinkSoft Root Certificate Signing Authority/emailaddress=certmas...@viathinksoft.de Since the certificates are self-made, I am sure that there is no whitespace. You can download the certificates and test it by your own here: CRT: http://www.viathinksoft.de/ca/crt/root.crt CRL: http://www.viathinksoft.de/ca/crl/root.crl What can I do? I do want to have these subject tests too. My OpenSSL version is OpenSSL 0.9.8c 05 Sep 2006. Alas, I CANNOT change the openssl version since I already use the latest stable of my debian system. The system administrator does not allow me to enforce an update to an unstable version. This bug with the whitespace also happens with Win32 OpenSSL OpenSSL 0.9.8h 28 May 2008. (the latest one I could find for Windows) Regards Daniel Marschall -- Daniel Marschall www.daniel-marschall.de +49 6223 488840 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
