Self-signed certs cannot be revoked, because if the private key were compromised then CRLs could be forged. Trusted roots by definition are explicitly trusted, and are usually placed in a secure location (e.g. local system trusted root store), and this set is usually updated as part of the OS.
.................................... Erik Tkal Juniper OAC/UAC/Pulse Development From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of y...@inbox.lv Sent: Monday, July 18, 2011 2:10 PM To: openssl-users@openssl.org Subject: Re: revoking crt is that really a self signed certificate? For self signed certificates names of issuer are the same as names of subject. In your example OU and CN are not the same. Also, according to wikipedia, self signed certificates (root certificates) cannot be revoked, although I do not understand why. (CRL could be signed by certificates own key). Citējot Daniel Spannbauer <d...@marco.de><mailto:d...@marco.de>: Hello, I use self-signed certificates for my VPN. Now, I try to revoke a crt. I called: openssl ca -revoke edge.crt -config vpn.conf But I get the error: "ERROR:name does not match /C=DE/ST=BY/O=xxx/OU=edge am/CN=edge am/emailAddress=xxx" The header of the crt: Certificate: Data: Version: 3 (0x2) Serial Number: 8 (0x8) Signature Algorithm: md5WithRSAEncryption Issuer: C=DE, ST=BY, L=yyy, O=xxx, OU=gate tun1, CN=gate tun1/Email=xxx Validity Not Before: May 14 11:12:27 2010 GMT Not After : May 11 11:12:27 2020 GMT Subject: C=DE, ST=BY, O=xxx, OU=edge am, CN=edge am/Email=xxx Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) The entry in index.txt: V 200511111227Z 08 unknown /C=DE/ST=BY/O=xxx/OU=edge am/CN=edge am/Email=xxx In my opinion, there is no error in crt or index.txt. Can anybody help me to find the error? Regards Daniel -- Daniel Spannbauer Software Entwicklung marco Systemanalyse und Entwicklung GmbH Tel +49 8333 9233-27 Fax -11 Rechbergstr. 4 - 6, D 87727 Babenhausen Mobil +49 171 4033220 http://www.marco.de/ Email d...@marco.de Geschäftsführer Martin Reuter HRB 171775 Amtsgericht München ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
