Hello. I have a problem with verification of certificates.
I have a root, a intermediate and a client certificate. Every certificate has CRL information (client shows the intermediate CRL). The chain is: ViaThinkSoft Root Certificate Signing Authority (CRL: Root) - ViaThinkSoft Intermediate Client Certificate Authority (CRL: Intermediate) - - Daniel Marschall (CRL: Intermediate) At the verification process I get 2 types of errors 1. Issuer subject name errors 2. A CRL-Retriving error How can I solve these errors? Here is my command line: cat root.crt > tmp_cachain.pem cat intermediate.crt >> tmp_cachain.pem openssl verify -verbose -issuer_checks -crl_check_all -CAfile tmp_cachain.pem daniel-marschall.crt The result is: daniel-marschall.crt: /C=DE/ST=Baden-Wuerttemberg/L=Bammental/O=ViaThinkSoft/OU=Developers/CN=Daniel Marschall/[email protected] error 29 at 0 depth lookup:subject issuer mismatch /C=DE/ST=Baden-Wuerttemberg/L=Bammental/O=ViaThinkSoft/OU=Developers/CN=Daniel Marschall/[email protected] error 29 at 0 depth lookup:subject issuer mismatch /C=DE/ST=Baden-Wuerttemberg/L=Bammental/O=ViaThinkSoft/OU=Developers/CN=Daniel Marschall/[email protected] error 29 at 0 depth lookup:subject issuer mismatch /C=DE/ST=Baden-Wuerttemberg/L=Bammental/O=ViaThinkSoft/OU=Intermediate Client Certificate Authority/CN=ViaThinkSoft Intermediate Client Certificate Authority/[email protected] error 29 at 0 depth lookup:subject issuer mismatch /C=DE/ST=Baden-Wuerttemberg/L=Bammental/O=ViaThinkSoft/OU=Developers/CN=Daniel Marschall/[email protected] error 3 at 0 depth lookup:unable to get certificate CRL The CRL URIs are stored in the certificates. I expect that the verify tool downloads the CRLs to simulate if the verification process would work at the client's side. My OpenSSL version is OpenSSL 0.9.8c 05 Sep 2006 (CANNOT change!) Can you please help? My tmp_cachain.pem is: -----BEGIN CERTIFICATE----- MIIKqzCCCJOgAwIBAgIBADANBgkqhkiG9w0BAQUFADCB5zELMAkGA1UEBhMCREUx GzAZBgNVBAgTEkJhZGVuLVd1ZXJ0dGVtYmVyZzESMBAGA1UEBxMJQmFtbWVudGFs MRUwEwYDVQQKEwxWaWFUaGlua1NvZnQxKzApBgNVBAsTIlJvb3QgQ2VydGlmaWNh dGUgU2lnbmluZyBBdXRob3JpdHkxODA2BgNVBAMTL1ZpYVRoaW5rU29mdCBSb290 IENlcnRpZmljYXRlIFNpZ25pbmcgQXV0aG9yaXR5MSkwJwYJKoZIhvcNAQkBFhpj ZXJ0bWFzdGVyQHZpYXRoaW5rc29mdC5kZTAeFw0wOTEwMjUxNDIzMjVaFw0zNDA2 MTYxNDIzMjVaMIHnMQswCQYDVQQGEwJERTEbMBkGA1UECBMSQmFkZW4tV3VlcnR0 ZW1iZXJnMRIwEAYDVQQHEwlCYW1tZW50YWwxFTATBgNVBAoTDFZpYVRoaW5rU29m dDErMCkGA1UECxMiUm9vdCBDZXJ0aWZpY2F0ZSBTaWduaW5nIEF1dGhvcml0eTE4 MDYGA1UEAxMvVmlhVGhpbmtTb2Z0IFJvb3QgQ2VydGlmaWNhdGUgU2lnbmluZyBB dXRob3JpdHkxKTAnBgkqhkiG9w0BCQEWGmNlcnRtYXN0ZXJAdmlhdGhpbmtzb2Z0 LmRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzmprzkEs1EQM0OQA oP3p19BqyzV4cyKtYPpN1oxqVXZHrh1rI+ndMIPLRQ/bDCDy/XkJR6UGHihz7ngo Fj6uNsTg3SuyHJutj3rw77R5UtqH7SsDzXj/gpUwDyiHN0/fc7pbEu/6KEugZSYb F/x9JK9wq6o/e541upJ0pxfND7rc2iWIcyGWsr2I3omuSbLA/LobzKEPiWosMjTy db0HxcrKC5pb7vvB8uBygryDJIDaW8S/wefXVOyj7dVdDoDm3RcB/QCZlT678mTL hCQ5moVllZW9etqN74WLdXv3jS2SC1E39nkGjhECnoWvOlk/waRokmlSDzGb+QbJ br/2F3iwgiAUsYtCCyae4FGKWURVfTyVuIZTHFKfWQQCosPPrdiij+tEvWgdFNvN W9dbVsUtRfjfhMgahlepVtT3HYpr92+JotYdGvF3fiA8OoH/re9q3m8Y8GGXBkPo jSqCPVl68AfttlbTUTIVpofsjdPOlQ5paxVFCuUkiPgq9N7UKni/I4K4l5SsS4XS 7tBA5CKEzXfxuoEN8THfF6ymPEKiBrnTwm1Ulkc6uM5+8BBrbAQCtlO+GHIuE5sI TksX+hpazbMegoVg08KuDNih30af4UItRY4IshNBUvQmjLYgtXBEwLJqcpCy8tCb UVhZnw4tqc0czRj1PVrMIUIo0V0CAwEAAaOCBF4wggRaMB0GA1UdDgQWBBTXTW0w GMN2N7SmyanHRhF1jNKXODCCARYGA1UdIwSCAQ0wggEJgBTXTW0wGMN2N7SmyanH RhF1jNKXOKGB7aSB6jCB5zELMAkGA1UEBhMCREUxGzAZBgNVBAgTEkJhZGVuLVd1 ZXJ0dGVtYmVyZzESMBAGA1UEBxMJQmFtbWVudGFsMRUwEwYDVQQKEwxWaWFUaGlu a1NvZnQxKzApBgNVBAsTIlJvb3QgQ2VydGlmaWNhdGUgU2lnbmluZyBBdXRob3Jp dHkxODA2BgNVBAMTL1ZpYVRoaW5rU29mdCBSb290IENlcnRpZmljYXRlIFNpZ25p bmcgQXV0aG9yaXR5MSkwJwYJKoZIhvcNAQkBFhpjZXJ0bWFzdGVyQHZpYXRoaW5r c29mdC5kZYIBADAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjCBjgYDVR0l BIGGMIGDBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYI KwYBBQUHAwgGCisGAQQBgjcCARUGCisGAQQBgjcCARYGCisGAQQBgjcKAwEGCisG AQQBgjcKAwMGCisGAQQBgjcKAwQGCWCGSAGG+EIEAQYIKwYBBQUHAwkwJQYDVR0R BB4wHIEaY2VydG1hc3RlckB2aWF0aGlua3NvZnQuZGUwJQYDVR0SBB4wHIEaY2Vy dG1hc3RlckB2aWF0aGlua3NvZnQuZGUwOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDov L3d3dy52aWF0aGlua3NvZnQuZGUvY2EvY3JsL3Jvb3QuY3JsMBEGCWCGSAGG+EIB AQQEAwIABzA0BglghkgBhvhCAQMEJxYlaHR0cDovL3d3dy52aWF0aGlua3NvZnQu ZGUvY2EvcmV2b2tlLzA5BglghkgBhvhCAQQELBYqaHR0cDovL3d3dy52aWF0aGlu a3NvZnQuZGUvY2EvY3JsL3Jvb3QuY3JsMDQGCWCGSAGG+EIBCAQnFiVodHRwOi8v d3d3LnZpYXRoaW5rc29mdC5kZS9jYS9wb2xpY3kvMC0GCWCGSAGG+EIBAgQgFh5o dHRwOi8vd3d3LnZpYXRoaW5rc29mdC5kZS9jYS8wfAYIKwYBBQUHAQEEcDBuMDQG CCsGAQUFBzABhihodHRwOi8vd3d3LnZpYXRoaW5rc29mdC5kZS9jYS9vY3NwL3Jv b3QvMDYGCCsGAQUFBzAChipodHRwOi8vd3d3LnZpYXRoaW5rc29mdC5kZS9jYS9j cnQvcm9vdC5jcnQwOQYJYIZIAYb4QgEHBCwWKmh0dHA6Ly93d3cudmlhdGhpbmtz b2Z0LmRlL2NhL2NydC9yb290LmNydDBDBgNVHSAEPDA6MDgGAQAwMzAxBggrBgEF BQcCARYlaHR0cDovL3d3dy52aWF0aGlua3NvZnQuZGUvY2EvcG9saWN5LzANBgkq hkiG9w0BAQUFAAOCAgEAkv/dFhQaFKP5MfeNAdX+wIbsn2ceAYk8kwhDkZ/FjO62 Mst+igucTrs6C8YTeLjuZNXWdpq/9uagtu6QNyIE3DlLjzZhUf3dvYtUFwj85236 7dO1giEUyoox+XIHwWIMhvQTpdQP66IXfsFSRkCAX2fDyvk/IcL+wXG8Fz2PMotd iTh8WrxU853OXFK6w2S5STqBoHMOqhqLkwwAalThs/E2Ainp8xrHEBnEnIDDJWYC vVU+q3oT0AvlMd52KFwN80ZZbzrJu6zdacuJZd32JTFG9589Gp2f/ZKdCFykKlju of7onNBltyEsV/9w35A1A5h/eQqw/J5tg16Na2Xsaab00+t7GcM027pGpMvzzDjW O7XShcbF/QtM4k4Ze8WrVYKPpFac31MSWYmu2g41FEBbBvzVFgG7A+USW2UJtAlq Gk/ix7uoOjfSIAiQE6Xn6PLkpScGyoNiqCcQwEIzIwWeGi++HKbpEO9KIa39kIo6 GlESuU5A0ia9cPKp8NHbv1n7G6+F/YCooFxjvfUMR1F+T0Cm2uPVVMJMQfV4kHIt G9e22XJLHk3wm1mpal293qiM8A7em4TfigczcMQjOc3Y67OSNZCF0PKM0MpaUK9J kckK/Dh6yOH8POx+aY73qJThrwYdE1ak/ml1u2X7ml0nwahQLGdpaCbEtEXvtNE= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIKijCCCHKgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCB5zELMAkGA1UEBhMCREUx GzAZBgNVBAgTEkJhZGVuLVd1ZXJ0dGVtYmVyZzESMBAGA1UEBxMJQmFtbWVudGFs MRUwEwYDVQQKEwxWaWFUaGlua1NvZnQxKzApBgNVBAsTIlJvb3QgQ2VydGlmaWNh dGUgU2lnbmluZyBBdXRob3JpdHkxODA2BgNVBAMTL1ZpYVRoaW5rU29mdCBSb290 IENlcnRpZmljYXRlIFNpZ25pbmcgQXV0aG9yaXR5MSkwJwYJKoZIhvcNAQkBFhpj ZXJ0bWFzdGVyQHZpYXRoaW5rc29mdC5kZTAeFw0wOTEwMjUxNDI0MDZaFw0zNDA2 MTYxNDI0MDZaMIH1MQswCQYDVQQGEwJERTEbMBkGA1UECBMSQmFkZW4tV3VlcnR0 ZW1iZXJnMRIwEAYDVQQHEwlCYW1tZW50YWwxFTATBgNVBAoTDFZpYVRoaW5rU29m dDEyMDAGA1UECxMpSW50ZXJtZWRpYXRlIENsaWVudCBDZXJ0aWZpY2F0ZSBBdXRo b3JpdHkxPzA9BgNVBAMTNlZpYVRoaW5rU29mdCBJbnRlcm1lZGlhdGUgQ2xpZW50 IENlcnRpZmljYXRlIEF1dGhvcml0eTEpMCcGCSqGSIb3DQEJARYaY2VydG1hc3Rl ckB2aWF0aGlua3NvZnQuZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC AQDG98FYiC6ugK1c7sjNIKjmqrmiEqcc11zJhC+qkEUbl8yp9q8zRBzaXSVoFYG7 +aESdau1MPJWcbIuXjTeSf66wCZwiF8QY8e8to5b/o5QE5VHwJyCH609zBXJlwDK +0kQHeTIOproiVXHUiyhUrY0cSuoPvqXaxFZtb6cIkYXh/IbOd2lI4ENNomH+oxV Zs10tEISGuOXN3RarPizq2dCDbl3RWHWtPJW7LCK4O8WVO/4FrSFTQQArx2jSG+0 8VXoXuFRCjyjXVn/3+QDFjJYUUsYqz6thQidqLsUGKmhucaF2dGA21w/S86crcQm 0n4mef3lnMUjchNQFlQXfKIlzyUJIDVQ+uu1YGAt3+FeOHyqzi48ZjuVQ1bNxCnl XGqInbqHopUc9FDgnZOptupV+OKtWX/Xpqk84ikbbvhzuoqnFNILNKcXmEcK49Rr anpdatSKtseN0NKycHGf//8khNWHjGRoFqAUaL0WeNW9i8XGBMBqTVVfStYdjqT9 H8OHgsIS4KCSbeRdrfCib20UUnC98tS8FGk+QUIrcc/2O5cSra8TnqlXbl1/1LYi /TbAZ/LAexUUuKCej6cwNA07avNLSsWogSNGTBCiLo3VaWNIgGrhNYnGsQhMg/++ X1OuGmIqqylk0ULdvUFyVBdEnSJXFwdg4Vc4MGUp/slizQIDAQABo4IELzCCBCsw HQYDVR0OBBYEFCPJ71NtqCw2JN6KONc6TCqHaKIgMIIBFgYDVR0jBIIBDTCCAQmA FNdNbTAYw3Y3tKbJqcdGEXWM0pc4oYHtpIHqMIHnMQswCQYDVQQGEwJERTEbMBkG A1UECBMSQmFkZW4tV3VlcnR0ZW1iZXJnMRIwEAYDVQQHEwlCYW1tZW50YWwxFTAT BgNVBAoTDFZpYVRoaW5rU29mdDErMCkGA1UECxMiUm9vdCBDZXJ0aWZpY2F0ZSBT aWduaW5nIEF1dGhvcml0eTE4MDYGA1UEAxMvVmlhVGhpbmtTb2Z0IFJvb3QgQ2Vy dGlmaWNhdGUgU2lnbmluZyBBdXRob3JpdHkxKTAnBgkqhkiG9w0BCQEWGmNlcnRt YXN0ZXJAdmlhdGhpbmtzb2Z0LmRlggEAMBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYD VR0PBAQDAgEGME0GA1UdJQEB/wRDMEEGCCsGAQUFBwMCBggrBgEFBQcDBAYKKwYB BAGCNwoDBAYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBBggrBgEFBQcDCTAlBgNVHREE HjAcgRpjZXJ0bWFzdGVyQHZpYXRoaW5rc29mdC5kZTAlBgNVHRIEHjAcgRpjZXJ0 bWFzdGVyQHZpYXRoaW5rc29mdC5kZTA9BgNVHR8ENjA0MDKgMKAuhixodHRwOi8v d3d3LnZpYXRoaW5rc29mdC5kZS9jYS9jcmwvY2xpZW50LmNybDARBglghkgBhvhC AQEEBAMCAQYwNAYJYIZIAYb4QgEDBCcWJWh0dHA6Ly93d3cudmlhdGhpbmtzb2Z0 LmRlL2NhL3Jldm9rZS8wOwYJYIZIAYb4QgEEBC4WLGh0dHA6Ly93d3cudmlhdGhp bmtzb2Z0LmRlL2NhL2NybC9jbGllbnQuY3JsMDQGCWCGSAGG+EIBCAQnFiVodHRw Oi8vd3d3LnZpYXRoaW5rc29mdC5kZS9jYS9wb2xpY3kvMC0GCWCGSAGG+EIBAgQg Fh5odHRwOi8vd3d3LnZpYXRoaW5rc29mdC5kZS9jYS8wfgYIKwYBBQUHAQEEcjBw MDYGCCsGAQUFBzABhipodHRwOi8vd3d3LnZpYXRoaW5rc29mdC5kZS9jYS9vY3Nw L2NsaWVudC8wNgYIKwYBBQUHMAKGKmh0dHA6Ly93d3cudmlhdGhpbmtzb2Z0LmRl L2NhL2NydC9yb290LmNydDA7BglghkgBhvhCAQcELhYsaHR0cDovL3d3dy52aWF0 aGlua3NvZnQuZGUvY2EvY3J0L2NsaWVudC5jcnQwSwYDVR0gBEQwQjAGBgRVHSAA MDgGAQAwMzAxBggrBgEFBQcCARYlaHR0cDovL3d3dy52aWF0aGlua3NvZnQuZGUv Y2EvcG9saWN5LzANBgkqhkiG9w0BAQUFAAOCAgEAijxbdLlgXmh1mtKim6v6JkWb PmYaryCEkJI1hYNF4/4UpPxk2glhwAzA+fO9GWo3ta0c00ocmqXOZ3ZQZ4yD0Li3 ALbctFVT/GsDEIHYA9hm7R29w9nja2xVFf/PADnF8LXdP4Avk39U3mdUvm8X9D5F SMjE8abFniXTF1niFxjHfj+AgKb0FpuIsNj5rxnGIvVRcDkmpvl1xok7u7+/0xzr dEBcQZeiCnWy16PnC6DIVeQ8gytyT13YAGnG6R/nPNJB24s2jMH9IhWTw+1XYg78 /MubRAfGsGx3cJnbi7oLhyDYcHV8k6Kf4c/qkJLo5dBEmv6YqML/bXyXRXvFcQ92 kwLA/esntMaJjCuskiLm4aJveMHydHBtJvmHACnQt2LpEZoeZWSZrJebIrTgFlM0 8NNyeCug6+sDpWezhOoQwHXzZekOPKjwctP4PIma7ybgQ/sHoqhR1S9dm10mCmfM nKFSQYKpMxAlFjaeIcIQa42fOzQv7k7FNs1V7xPSrZjmC6OJ7XTkJw7CAbeOOsmD G4CVKbET4wW+ugx6GHF7yaM+CiE2CG6OuOH9A0kGKheO5IM2uKSlddZZCOHuMTxc BWibFPJ8IcoHwlQgCB69P0283P9Mo8ZyyH5JrIaSP3HhbW0Vvj1wuv6KEm8247ZC ie14uy60mJTLVnaxerg= -----END CERTIFICATE----- PS: Is OCSP not checked with the verify tool? Best regards Daniel Marschall ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
