This is not a check of the intermediate certificate as an actual intermediate in a chain, this only checks it as a leaf certificate. Your entire chain is just:
root ---> revokedIntermediate
Yes - as a leaf of root, using the roots crl to see if any root-signed certs are revoked.
Try: openssl s_client -crl_check_all ...
Works! Great, thanks for the hint Viktor. Just recognized, that the manpage lists the "crl_check_all" options right after the "crl_check", which i used... >_< Using the crl_check_all it also complains about a missing crl now, when I remove the root's crl from the store. This wasnt the case when using crl_check, which also wondered me a bit before. Not it all makes sense :-) Thanks again! -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
