Hello,

when I verify an intermediate certificate of a CA I get the message that
the certificate has expired. But that seems not to be right.

I use OpenSSL 1.0.0d on Fedora Linux.

Here is what I have done (comment lines begin with '#'):
>>>
mkdir /tmp/Test
cd /tmp/Test

# get the root certificate of the CA
wget http://www.trustcenter.de/media/class_3_ii.pem

# get the intermediate certificate of the CA
wget http://www.trustcenter.de/media/pr_TC_Class_3_L1_CA_V.pem

chmod 644 *.pem

# create links to hashes
ln -s class_3_ii.pem `openssl x509 -hash -noout -in class_3_ii.pem`.0 
ln -s pr_TC_Class_3_L1_CA_V.pem `openssl x509 -hash -noout -in
pr_TC_Class_3_L1_CA_V.pem`.0      

# check expire date of the root certificate
openssl x509 -in class_3_ii.pem -noout -enddate

# check expire date of the intermediate certificate
openssl x509 -in pr_TC_Class_3_L1_CA_V.pem -noout -enddate

# verify the certificate
openssl verify -CApath /tmp/Test pr_TC_Class_3_L1_CA_V.pem
<<<

For the last three commands I get the following messages:
>>>
notAfter=Dec 31 22:59:59 2025 GMT

notAfter=Dec 31 22:59:59 2025 GMT

pr_TC_Class_3_L1_CA_V.pem: C = DE, ST = Hamburg, L = Hamburg, O = TC
TrustCenter for Security in Data Networks GmbH, OU = TC TrustCenter
Class 3 CA, emailAddress = certific...@trustcenter.de
error 10 at 1 depth lookup:certificate has expired
OK
<<<

What is wrong? How can I avoid the error message?

Thanks,
Dietmar


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to