I am using openSSL 0.9.8 for user authentication with a root-subordinate CA infrastructure. It is noticed that if I include CRL file from the sub-CA, then a client certificate issued and revoked by the sub-CA will not be accepted. This is expected. However, if I add CRL files from both root-CA and subordinate-CA in my authenticator's CRL list, that same revoked user certificate is actually accepted, meaning the user with such a client certificate will be authenticated.
Does anyone notice this or is this supposed to be expected behavior? Thank you in advance.
