Hello,
I have a problem when using CRL. My certificate setup is the following:
========= =========
| Cert1 | | Root |
========= =========
|
|
=========
| CA |
=========
/ | \
/ | \
/ | \
========= ========= =========
| Cert2 | | CRL | |revoked|
========= ========= =========
Cert1 is self signed certificate and used to sign S/MIME message on my
app (for which I own the private key).
Cert2 is a used to signed S/MIME messages on a client app. revoked is
a certificate that has been revoked and is mentionned as such in the
CRL.
My application has Cert1, Root and CA in its trust anchor and is
configured to use Cert1 and its private key to sign messages as well
as verify messages it has previously signed (that are read from disk
for re-send for example).
As long as I don't use the CRL, everything is fine: I can sign
messages with Cert1, and verify messages signed by Cert1, Cert2 and
revoked.
If I introduce the CRL in my certificate store (using
X509_load_crl_file), the messages signed with revoked certificate are
rejected as expected. But as a side effect, the messages I signed with
Cert1 are also rejected with "error:21075075:PKCS7
routines:PKCS7_verify:certificate verify error:Verify error:unable to
get local issuer certificate" error when I try to verify them within
my app. The error occurs wheter I use X509_V_FLAG_CRL_CHECK_ALL or
not. Signing still works.
Do I miss something or is it a normal behaviour when using CRL ? Is it
related to the fact that Cert1 is self signed ?
OpenSSL version: 0.9.8.i
OS: HPUX 11.23i
Regards,
Emmanuel
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
