On 12/5/2012 6:44 PM, Will Nordmeyer wrote:
On Wed, Dec 5, 2012 at 12:18 PM, Jakob Bohm <jb-open...@wisemo.com> wrote:
On 12/5/2012 5:30 PM, Will Nordmeyer wrote:
On Wed, Dec 5, 2012 at 11:22 AM, Dr. Stephen Henson <st...@openssl.org>
wrote:
On Wed, Dec 05, 2012, Will Nordmeyer wrote:
On Wed, Dec 5, 2012 at 10:47 AM, Dr. Stephen Henson <st...@openssl.org>
wrote:
On Wed, Dec 05, 2012, Will Nordmeyer wrote:
They are US. gov't certificates & CRLs, so providing them is a little
complicated. Before I had the proper root & intermediate CAs loaded
and hashed, I would get errors about missing certs in the chain.
Similarly, before I loaded the CRL, it would have issues.
The CERTs are in PEM formats, as well as the CRLs.
I'd suggest you try a version of OpenSSL from the website to see if you
have
problems with that.
Version "1.0.0-25" or "1.0.0-fips" is not a standard OpenSSL version.
I installed 1.0.1c (and verified it is the one being called).
When I first reran the commands as I listed earlier, I got
error 20 at 0 depth lookup:unable to get local issuer certificate
I added -CApath /etc/ssl/certs and everything comes back OK again.
Try a sanity check on a certificate, for example:
openssl x509 -in TestForty_Expired.pem -noout -dates
OK... now I have insanity -
openssl x509 -in TestFortyTwo_Expired.pem -noout -dates
notBefore=Dec 30 18:09:39 2008 GMT
notAfter=Dec 29 18:09:39 2014 GMT
I have certificate 42 imported into my Internet Explorer browser, it
indicates the validity dates as:
IE tells me it is valid from 9/13/2011 to 9/14/2011
Ok, try
openssl x509 -n TestFortyTwo_Expired.pem -noout -text
and compare all the details to what you see in IE.
Maybe it is not the same certificate.
Can I switch careers to basket weaving?
Nah, I think that got outsourced (back) to China too.
Enjoy
AH - found the issue... my TestFortyTwo_Expired.pem has 3 certs in it
- the root cert, the intermediate cert and then the user cert.
I stripped out the root & intermediate cert from the PEM file and
openssl now properly reports TestFortyTwo_Expired.pem as expired.
I did the same clean up on TestThirtySeven_Revoked.pem - took out the
root cert & the intermediate cert and then ran it through dates -
dates are fine ... ran it through verify with the following command to
see a revoked certificate response:
# openssl verify -CApath /etc/ssl/certs -crl_check_all -verbose
-purpose sslclient TestThirtySeven_Revoked.pem
TestThirtySeven_Revoked.pem: OK
Good, now you just need to pass the CRLs to the openssl verify command,
which is a slightly undocumented process.
I think I read someone else on this mailing list saying you need to
convert each CRL to PEM format, then append it to the PEM file
containing the issuing CA certificate (in a location other than the
global /etc/ssl/certs, because this method is used only by the test
programs, not by real programs).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
