On 3/1/2012 12:41 PM, mario piccinelli wrote:
Hi everyone
I'm stuck with a situation about openssl and I really don't know how to get
out..
What I'm trying to do is build a three level chain to sign files:
- a root cert
- an user cert
- and end cert
At the user level a revocation list can be produced to revoke the user's end
certs.
I create a PEM file with a detached signature, and I include in that the user
cert and the end cert.
After receiving the file, I do the following:
- concatenate all the CRLs AND the root cert in a single file named chain.tmp
- extract the certs from the SMIME message:
openssl pkcs7 -print_certs -in "data.p7m" -out "signers.tmp"
then I try to verify the signers' certs (user cert and end cert) in signers.tmp
with the CRLs and root cert in chain.tmp:
openssl verify -CAfile "chain.tmp" -crl_check "signers.tmp"
What makes you think the CRLs should be in the file passed as -CAfile
argument?
but I always get the error: unable to get certificate CRL
I'm sure the CRL is correctly included in chain.tmp.. what am I doing wrong? I
noticed that if I remove the root cert from chain.tmp it (obviously) complains
about the lack of issuer certificate.. but it seems unable to see the CRL in
the same file!
Thanks to anyone who took the time even for reading through all of this :-)
--
Jakob Bohm, CIO, partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. direct: +45 31 13 16 10
<call:+4531131610>
This message is only for its intended recipient, delete if misaddressed.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
