Hi Martin, Although there are some cases of expired RA certificates, there are others were certs are signed by a valid RA certificate yet cannot be verified. See output from verification window below:
Cannot build PKCS#7-object from extracted signature! OpenCA::PKCS7 returns errorcode 7911031 OpenCA::PKCS7->new: Cannot initialize signature (7912021). OpenCA::PKCS7->initSignature: Cannot parse signature (7921021). OpenCA::PKCS7->getParsed: The crypto-backend cannot verify the signature (7742075). OpenCA::OpenSSL->verify: openca-sv failed. [Error]: error:04091068:rsa routines:INT_RSA_VERIFY:bad signature [Info]: Input file intialized. [Info]: Signaturefile initialized. [Info]: Reading Certificate file. [Info]: PKCS#7 object loaded. [Info]: Data is ready for verification. [Info]: Signature Informations (PKCS#7): depth:2 serial:blah subject:CN=root CA blah depth:1 serial:blah subject:CN=issuing CA blah depth:0 serial:blah subject:RA cert blah [Info]: Signature is corrupt. Errorcode -1. signature:error:-1 Based on your comments about hashes I did notice the hash values in the root chain directory were different between the old installation (using 0.9.8) and the new installation. I changed the Makefile to use subject_hash_old and rebuilt the chain. This only made matters worse. It was "unable to get issuer certificate". So I switched the hashes back. If the hashes need to be changed anywhere else I am unaware of it. Dave
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/
_______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
