Thanks for the answer.. in fact nothing, but I found nothing about that in the documentation, and I made an experiment which seemed to prove that: I verified an end certificate using as CAfile a chain made of root cert, user cert and user CRL... and it worked correctly, before and after the revocation..
Do you know something else I don't? Could you suggest me a different approach? Thanks! Mario Il giorno 01/mar/2012, alle ore 15.58, Jakob Bohm ha scritto: > On 3/1/2012 12:41 PM, mario piccinelli wrote: >> Hi everyone >> >> I'm stuck with a situation about openssl and I really don't know how to get >> out.. >> >> What I'm trying to do is build a three level chain to sign files: >> - a root cert >> - an user cert >> - and end cert >> >> At the user level a revocation list can be produced to revoke the user's end >> certs. >> I create a PEM file with a detached signature, and I include in that the >> user cert and the end cert. >> >> After receiving the file, I do the following: >> - concatenate all the CRLs AND the root cert in a single file named chain.tmp >> - extract the certs from the SMIME message: >> openssl pkcs7 -print_certs -in "data.p7m" -out "signers.tmp" >> >> then I try to verify the signers' certs (user cert and end cert) in >> signers.tmp with the CRLs and root cert in chain.tmp: >> >> openssl verify -CAfile "chain.tmp" -crl_check "signers.tmp" > What makes you think the CRLs should be in the file passed as -CAfile > argument? >> but I always get the error: unable to get certificate CRL >> >> I'm sure the CRL is correctly included in chain.tmp.. what am I doing wrong? >> I noticed that if I remove the root cert from chain.tmp it (obviously) >> complains about the lack of issuer certificate.. but it seems unable to see >> the CRL in the same file! >> >> Thanks to anyone who took the time even for reading through all of this :-) >> > > -- > Jakob Bohm, CIO, partner, WiseMo A/S. http://www.wisemo.com > Transformervej 29, 2730 Herlev, Denmark. direct: +45 31 13 16 10 > <call:+4531131610> > This message is only for its intended recipient, delete if misaddressed. > WiseMo - Remote Service Management for PCs, Phones and Embedded > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org Mario Piccinelli ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
