I have to add:
Looking into the crl of the _sub-ca_:
Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: /C=DE/O=Xtelligent/OU=Trustcenter/O=Xtelligent Root CA/OU=TCOperating/CN=Operator Xtelligent Root CA/[EMAIL PROTECTED]
> ...
I have expected to find "O=Xtelligent IT Consulting GmbH CA", not "O=Xtelligen Root CA"... But this is the origin of the original problem. Now the problem is: why does the CRL talk about root-ca(-Operator) as issuer?
FyI - the sub-ca cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha1WithRSAEncryption
Issuer: [EMAIL PROTECTED],CN=Operator Xtelligent Root CA,OU=TCOperating,O=Xtelligent Root CA,OU=Trustcenter,O=Xtelligent,C=DE
Validity
Not Before: Nov 11 16:22:54 2003 GMT
Not After : Nov 8 16:22:54 2013 GMT
Subject: serialNumber=3,CN=Operator Xtelligent IT Consulting GmbH CA,OU=TCOperating,O=Xtelligent IT Consulting GmbH CA,OU=Trustcenter,O=Xtelligent,C=DE
I checked the source code of OpenSSL. This is the line which defines the issuer field of the CRL. So it looks for me like you/OpenCA use(s) the wrong certificate to build the CRL.
Please can you check the certificate on the sub CA again? The CA cert of the sub CA must be correct.
--------------openssl-0.9.7a/apps/ca.c----------- if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509))) goto err; -------------------------------------------------
We operate OpenCA as sub CA too and it works. OK, I usually don't like this but it is only a public server:
https://ra.hu-berlin.de/cgi-bin/hudca1/internet_en/pki?cmd=getStaticPage&name=index --> CA Infos --> Certificate Revocation Lists --> Text Format
Be patient with the server it is really slow because it is not the optimized version. I hope you will receive the mail in an acceptable amount of time because my university has today a mail problem.
Best regards
Michael -- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
------------------------------------------------------- This SF. Net email is sponsored by: GoToMyPC GoToMyPC is the fast, easy and secure way to access your computer from any Web browser or wireless device. Click here to Try it Free! https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl _______________________________________________ OpenCA-Devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-devel
