Nevermind. I have found the error #1. By appending the CRLs to the CA-chain, the CRL-error 3 disappears now. (The appending of CRLs to the chain were not descriped in the manual!)
But the second issuer subject error makes me crazy. I noticed that I have the same problems as descripted here: http://www.mail-archive.com/[email protected]/msg30729.html . My commands are: openssl x509 -in ca_root/certs/cacert.crt -issuer -noout openssl crl -in ca_root/crl/ca.pem -issuer -noout The result is: issuer= /C=DE/ST=Baden-Wuerttemberg/L=Bammental/O=ViaThinkSoft/OU=Root Certificate Signing Authority/CN=ViaThinkSoft Root Certificate Signing Authority/[email protected] issuer=/C=DE/ST=Baden-Wuerttemberg/L=Bammental/O=ViaThinkSoft/OU=Root Certificate Signing Authority/CN=ViaThinkSoft Root Certificate Signing Authority/[email protected] Since the certificates are self-made, I am sure that there is no whitespace. You can download the certificates and test it by your own here: CRT: http://www.viathinksoft.de/ca/crt/root.crt CRL: http://www.viathinksoft.de/ca/crl/root.crl What can I do? I want to have these subject tests too. Alas, I CANNOT change the openssl version since I already use the latest stable of my debian system. The system administrator does not allow me to enforce an update to an unstable version. Regards Daniel Marschall 2009/10/25, Daniel Marschall <[email protected]>: > Hello. > > I have a problem with verification of certificates. > > I have a root, a intermediate and a client certificate. Every > certificate has CRL information (client shows the intermediate CRL). > > The chain is: > > ViaThinkSoft Root Certificate Signing Authority (CRL: Root) > - ViaThinkSoft Intermediate Client Certificate Authority (CRL: Intermediate) > - - Daniel Marschall (CRL: Intermediate) > > At the verification process I get 2 types of errors > 1. Issuer subject name errors > 2. A CRL-Retriving error > > How can I solve these errors? > > Here is my command line: > > cat root.crt > tmp_cachain.pem > cat intermediate.crt >> tmp_cachain.pem > openssl verify -verbose -issuer_checks -crl_check_all -CAfile > tmp_cachain.pem daniel-marschall.crt > > The result is: > > daniel-marschall.crt: > /C=DE/ST=Baden-Wuerttemberg/L=Bammental/O=ViaThinkSoft/OU=Developers/CN=Daniel > Marschall/[email protected] > error 29 at 0 depth lookup:subject issuer mismatch > > /C=DE/ST=Baden-Wuerttemberg/L=Bammental/O=ViaThinkSoft/OU=Developers/CN=Daniel > Marschall/[email protected] > error 29 at 0 depth lookup:subject issuer mismatch > > /C=DE/ST=Baden-Wuerttemberg/L=Bammental/O=ViaThinkSoft/OU=Developers/CN=Daniel > Marschall/[email protected] > error 29 at 0 depth lookup:subject issuer mismatch > > /C=DE/ST=Baden-Wuerttemberg/L=Bammental/O=ViaThinkSoft/OU=Intermediate > Client Certificate Authority/CN=ViaThinkSoft Intermediate Client > Certificate Authority/[email protected] > error 29 at 0 depth lookup:subject issuer mismatch > > /C=DE/ST=Baden-Wuerttemberg/L=Bammental/O=ViaThinkSoft/OU=Developers/CN=Daniel > Marschall/[email protected] > error 3 at 0 depth lookup:unable to get certificate CRL > > The CRL URIs are stored in the certificates. I expect that the verify > tool downloads the CRLs to simulate if the verification process would > work at the client's side. > > My OpenSSL version is OpenSSL 0.9.8c 05 Sep 2006 (CANNOT change!) > > Can you please help? > > My tmp_cachain.pem is: > > -----BEGIN CERTIFICATE----- > MIIKqzCCCJOgAwIBAgIBADANBgkqhkiG9w0BAQUFADCB5zELMAkGA1UEBhMCREUx > GzAZBgNVBAgTEkJhZGVuLVd1ZXJ0dGVtYmVyZzESMBAGA1UEBxMJQmFtbWVudGFs > MRUwEwYDVQQKEwxWaWFUaGlua1NvZnQxKzApBgNVBAsTIlJvb3QgQ2VydGlmaWNh > dGUgU2lnbmluZyBBdXRob3JpdHkxODA2BgNVBAMTL1ZpYVRoaW5rU29mdCBSb290 > IENlcnRpZmljYXRlIFNpZ25pbmcgQXV0aG9yaXR5MSkwJwYJKoZIhvcNAQkBFhpj > ZXJ0bWFzdGVyQHZpYXRoaW5rc29mdC5kZTAeFw0wOTEwMjUxNDIzMjVaFw0zNDA2 > MTYxNDIzMjVaMIHnMQswCQYDVQQGEwJERTEbMBkGA1UECBMSQmFkZW4tV3VlcnR0 > ZW1iZXJnMRIwEAYDVQQHEwlCYW1tZW50YWwxFTATBgNVBAoTDFZpYVRoaW5rU29m > dDErMCkGA1UECxMiUm9vdCBDZXJ0aWZpY2F0ZSBTaWduaW5nIEF1dGhvcml0eTE4 > MDYGA1UEAxMvVmlhVGhpbmtTb2Z0IFJvb3QgQ2VydGlmaWNhdGUgU2lnbmluZyBB > dXRob3JpdHkxKTAnBgkqhkiG9w0BCQEWGmNlcnRtYXN0ZXJAdmlhdGhpbmtzb2Z0 > LmRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzmprzkEs1EQM0OQA > oP3p19BqyzV4cyKtYPpN1oxqVXZHrh1rI+ndMIPLRQ/bDCDy/XkJR6UGHihz7ngo > Fj6uNsTg3SuyHJutj3rw77R5UtqH7SsDzXj/gpUwDyiHN0/fc7pbEu/6KEugZSYb > F/x9JK9wq6o/e541upJ0pxfND7rc2iWIcyGWsr2I3omuSbLA/LobzKEPiWosMjTy > db0HxcrKC5pb7vvB8uBygryDJIDaW8S/wefXVOyj7dVdDoDm3RcB/QCZlT678mTL > hCQ5moVllZW9etqN74WLdXv3jS2SC1E39nkGjhECnoWvOlk/waRokmlSDzGb+QbJ > br/2F3iwgiAUsYtCCyae4FGKWURVfTyVuIZTHFKfWQQCosPPrdiij+tEvWgdFNvN > W9dbVsUtRfjfhMgahlepVtT3HYpr92+JotYdGvF3fiA8OoH/re9q3m8Y8GGXBkPo > jSqCPVl68AfttlbTUTIVpofsjdPOlQ5paxVFCuUkiPgq9N7UKni/I4K4l5SsS4XS > 7tBA5CKEzXfxuoEN8THfF6ymPEKiBrnTwm1Ulkc6uM5+8BBrbAQCtlO+GHIuE5sI > TksX+hpazbMegoVg08KuDNih30af4UItRY4IshNBUvQmjLYgtXBEwLJqcpCy8tCb > UVhZnw4tqc0czRj1PVrMIUIo0V0CAwEAAaOCBF4wggRaMB0GA1UdDgQWBBTXTW0w > GMN2N7SmyanHRhF1jNKXODCCARYGA1UdIwSCAQ0wggEJgBTXTW0wGMN2N7SmyanH > RhF1jNKXOKGB7aSB6jCB5zELMAkGA1UEBhMCREUxGzAZBgNVBAgTEkJhZGVuLVd1 > ZXJ0dGVtYmVyZzESMBAGA1UEBxMJQmFtbWVudGFsMRUwEwYDVQQKEwxWaWFUaGlu > a1NvZnQxKzApBgNVBAsTIlJvb3QgQ2VydGlmaWNhdGUgU2lnbmluZyBBdXRob3Jp > dHkxODA2BgNVBAMTL1ZpYVRoaW5rU29mdCBSb290IENlcnRpZmljYXRlIFNpZ25p > bmcgQXV0aG9yaXR5MSkwJwYJKoZIhvcNAQkBFhpjZXJ0bWFzdGVyQHZpYXRoaW5r > c29mdC5kZYIBADAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjCBjgYDVR0l > BIGGMIGDBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYI > KwYBBQUHAwgGCisGAQQBgjcCARUGCisGAQQBgjcCARYGCisGAQQBgjcKAwEGCisG > AQQBgjcKAwMGCisGAQQBgjcKAwQGCWCGSAGG+EIEAQYIKwYBBQUHAwkwJQYDVR0R > BB4wHIEaY2VydG1hc3RlckB2aWF0aGlua3NvZnQuZGUwJQYDVR0SBB4wHIEaY2Vy > dG1hc3RlckB2aWF0aGlua3NvZnQuZGUwOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDov > L3d3dy52aWF0aGlua3NvZnQuZGUvY2EvY3JsL3Jvb3QuY3JsMBEGCWCGSAGG+EIB > AQQEAwIABzA0BglghkgBhvhCAQMEJxYlaHR0cDovL3d3dy52aWF0aGlua3NvZnQu > ZGUvY2EvcmV2b2tlLzA5BglghkgBhvhCAQQELBYqaHR0cDovL3d3dy52aWF0aGlu > a3NvZnQuZGUvY2EvY3JsL3Jvb3QuY3JsMDQGCWCGSAGG+EIBCAQnFiVodHRwOi8v > d3d3LnZpYXRoaW5rc29mdC5kZS9jYS9wb2xpY3kvMC0GCWCGSAGG+EIBAgQgFh5o > dHRwOi8vd3d3LnZpYXRoaW5rc29mdC5kZS9jYS8wfAYIKwYBBQUHAQEEcDBuMDQG > CCsGAQUFBzABhihodHRwOi8vd3d3LnZpYXRoaW5rc29mdC5kZS9jYS9vY3NwL3Jv > b3QvMDYGCCsGAQUFBzAChipodHRwOi8vd3d3LnZpYXRoaW5rc29mdC5kZS9jYS9j > cnQvcm9vdC5jcnQwOQYJYIZIAYb4QgEHBCwWKmh0dHA6Ly93d3cudmlhdGhpbmtz > b2Z0LmRlL2NhL2NydC9yb290LmNydDBDBgNVHSAEPDA6MDgGAQAwMzAxBggrBgEF > BQcCARYlaHR0cDovL3d3dy52aWF0aGlua3NvZnQuZGUvY2EvcG9saWN5LzANBgkq > hkiG9w0BAQUFAAOCAgEAkv/dFhQaFKP5MfeNAdX+wIbsn2ceAYk8kwhDkZ/FjO62 > Mst+igucTrs6C8YTeLjuZNXWdpq/9uagtu6QNyIE3DlLjzZhUf3dvYtUFwj85236 > 7dO1giEUyoox+XIHwWIMhvQTpdQP66IXfsFSRkCAX2fDyvk/IcL+wXG8Fz2PMotd > iTh8WrxU853OXFK6w2S5STqBoHMOqhqLkwwAalThs/E2Ainp8xrHEBnEnIDDJWYC > vVU+q3oT0AvlMd52KFwN80ZZbzrJu6zdacuJZd32JTFG9589Gp2f/ZKdCFykKlju > of7onNBltyEsV/9w35A1A5h/eQqw/J5tg16Na2Xsaab00+t7GcM027pGpMvzzDjW > O7XShcbF/QtM4k4Ze8WrVYKPpFac31MSWYmu2g41FEBbBvzVFgG7A+USW2UJtAlq > Gk/ix7uoOjfSIAiQE6Xn6PLkpScGyoNiqCcQwEIzIwWeGi++HKbpEO9KIa39kIo6 > GlESuU5A0ia9cPKp8NHbv1n7G6+F/YCooFxjvfUMR1F+T0Cm2uPVVMJMQfV4kHIt > G9e22XJLHk3wm1mpal293qiM8A7em4TfigczcMQjOc3Y67OSNZCF0PKM0MpaUK9J > kckK/Dh6yOH8POx+aY73qJThrwYdE1ak/ml1u2X7ml0nwahQLGdpaCbEtEXvtNE= > -----END CERTIFICATE----- > -----BEGIN CERTIFICATE----- > MIIKijCCCHKgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCB5zELMAkGA1UEBhMCREUx > GzAZBgNVBAgTEkJhZGVuLVd1ZXJ0dGVtYmVyZzESMBAGA1UEBxMJQmFtbWVudGFs > MRUwEwYDVQQKEwxWaWFUaGlua1NvZnQxKzApBgNVBAsTIlJvb3QgQ2VydGlmaWNh > dGUgU2lnbmluZyBBdXRob3JpdHkxODA2BgNVBAMTL1ZpYVRoaW5rU29mdCBSb290 > IENlcnRpZmljYXRlIFNpZ25pbmcgQXV0aG9yaXR5MSkwJwYJKoZIhvcNAQkBFhpj > ZXJ0bWFzdGVyQHZpYXRoaW5rc29mdC5kZTAeFw0wOTEwMjUxNDI0MDZaFw0zNDA2 > MTYxNDI0MDZaMIH1MQswCQYDVQQGEwJERTEbMBkGA1UECBMSQmFkZW4tV3VlcnR0 > ZW1iZXJnMRIwEAYDVQQHEwlCYW1tZW50YWwxFTATBgNVBAoTDFZpYVRoaW5rU29m > dDEyMDAGA1UECxMpSW50ZXJtZWRpYXRlIENsaWVudCBDZXJ0aWZpY2F0ZSBBdXRo > b3JpdHkxPzA9BgNVBAMTNlZpYVRoaW5rU29mdCBJbnRlcm1lZGlhdGUgQ2xpZW50 > IENlcnRpZmljYXRlIEF1dGhvcml0eTEpMCcGCSqGSIb3DQEJARYaY2VydG1hc3Rl > ckB2aWF0aGlua3NvZnQuZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC > AQDG98FYiC6ugK1c7sjNIKjmqrmiEqcc11zJhC+qkEUbl8yp9q8zRBzaXSVoFYG7 > +aESdau1MPJWcbIuXjTeSf66wCZwiF8QY8e8to5b/o5QE5VHwJyCH609zBXJlwDK > +0kQHeTIOproiVXHUiyhUrY0cSuoPvqXaxFZtb6cIkYXh/IbOd2lI4ENNomH+oxV > Zs10tEISGuOXN3RarPizq2dCDbl3RWHWtPJW7LCK4O8WVO/4FrSFTQQArx2jSG+0 > 8VXoXuFRCjyjXVn/3+QDFjJYUUsYqz6thQidqLsUGKmhucaF2dGA21w/S86crcQm > 0n4mef3lnMUjchNQFlQXfKIlzyUJIDVQ+uu1YGAt3+FeOHyqzi48ZjuVQ1bNxCnl > XGqInbqHopUc9FDgnZOptupV+OKtWX/Xpqk84ikbbvhzuoqnFNILNKcXmEcK49Rr > anpdatSKtseN0NKycHGf//8khNWHjGRoFqAUaL0WeNW9i8XGBMBqTVVfStYdjqT9 > H8OHgsIS4KCSbeRdrfCib20UUnC98tS8FGk+QUIrcc/2O5cSra8TnqlXbl1/1LYi > /TbAZ/LAexUUuKCej6cwNA07avNLSsWogSNGTBCiLo3VaWNIgGrhNYnGsQhMg/++ > X1OuGmIqqylk0ULdvUFyVBdEnSJXFwdg4Vc4MGUp/slizQIDAQABo4IELzCCBCsw > HQYDVR0OBBYEFCPJ71NtqCw2JN6KONc6TCqHaKIgMIIBFgYDVR0jBIIBDTCCAQmA > FNdNbTAYw3Y3tKbJqcdGEXWM0pc4oYHtpIHqMIHnMQswCQYDVQQGEwJERTEbMBkG > A1UECBMSQmFkZW4tV3VlcnR0ZW1iZXJnMRIwEAYDVQQHEwlCYW1tZW50YWwxFTAT > BgNVBAoTDFZpYVRoaW5rU29mdDErMCkGA1UECxMiUm9vdCBDZXJ0aWZpY2F0ZSBT > aWduaW5nIEF1dGhvcml0eTE4MDYGA1UEAxMvVmlhVGhpbmtTb2Z0IFJvb3QgQ2Vy > dGlmaWNhdGUgU2lnbmluZyBBdXRob3JpdHkxKTAnBgkqhkiG9w0BCQEWGmNlcnRt > YXN0ZXJAdmlhdGhpbmtzb2Z0LmRlggEAMBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYD > VR0PBAQDAgEGME0GA1UdJQEB/wRDMEEGCCsGAQUFBwMCBggrBgEFBQcDBAYKKwYB > BAGCNwoDBAYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBBggrBgEFBQcDCTAlBgNVHREE > HjAcgRpjZXJ0bWFzdGVyQHZpYXRoaW5rc29mdC5kZTAlBgNVHRIEHjAcgRpjZXJ0 > bWFzdGVyQHZpYXRoaW5rc29mdC5kZTA9BgNVHR8ENjA0MDKgMKAuhixodHRwOi8v > d3d3LnZpYXRoaW5rc29mdC5kZS9jYS9jcmwvY2xpZW50LmNybDARBglghkgBhvhC > AQEEBAMCAQYwNAYJYIZIAYb4QgEDBCcWJWh0dHA6Ly93d3cudmlhdGhpbmtzb2Z0 > LmRlL2NhL3Jldm9rZS8wOwYJYIZIAYb4QgEEBC4WLGh0dHA6Ly93d3cudmlhdGhp > bmtzb2Z0LmRlL2NhL2NybC9jbGllbnQuY3JsMDQGCWCGSAGG+EIBCAQnFiVodHRw > Oi8vd3d3LnZpYXRoaW5rc29mdC5kZS9jYS9wb2xpY3kvMC0GCWCGSAGG+EIBAgQg > Fh5odHRwOi8vd3d3LnZpYXRoaW5rc29mdC5kZS9jYS8wfgYIKwYBBQUHAQEEcjBw > MDYGCCsGAQUFBzABhipodHRwOi8vd3d3LnZpYXRoaW5rc29mdC5kZS9jYS9vY3Nw > L2NsaWVudC8wNgYIKwYBBQUHMAKGKmh0dHA6Ly93d3cudmlhdGhpbmtzb2Z0LmRl > L2NhL2NydC9yb290LmNydDA7BglghkgBhvhCAQcELhYsaHR0cDovL3d3dy52aWF0 > aGlua3NvZnQuZGUvY2EvY3J0L2NsaWVudC5jcnQwSwYDVR0gBEQwQjAGBgRVHSAA > MDgGAQAwMzAxBggrBgEFBQcCARYlaHR0cDovL3d3dy52aWF0aGlua3NvZnQuZGUv > Y2EvcG9saWN5LzANBgkqhkiG9w0BAQUFAAOCAgEAijxbdLlgXmh1mtKim6v6JkWb > PmYaryCEkJI1hYNF4/4UpPxk2glhwAzA+fO9GWo3ta0c00ocmqXOZ3ZQZ4yD0Li3 > ALbctFVT/GsDEIHYA9hm7R29w9nja2xVFf/PADnF8LXdP4Avk39U3mdUvm8X9D5F > SMjE8abFniXTF1niFxjHfj+AgKb0FpuIsNj5rxnGIvVRcDkmpvl1xok7u7+/0xzr > dEBcQZeiCnWy16PnC6DIVeQ8gytyT13YAGnG6R/nPNJB24s2jMH9IhWTw+1XYg78 > /MubRAfGsGx3cJnbi7oLhyDYcHV8k6Kf4c/qkJLo5dBEmv6YqML/bXyXRXvFcQ92 > kwLA/esntMaJjCuskiLm4aJveMHydHBtJvmHACnQt2LpEZoeZWSZrJebIrTgFlM0 > 8NNyeCug6+sDpWezhOoQwHXzZekOPKjwctP4PIma7ybgQ/sHoqhR1S9dm10mCmfM > nKFSQYKpMxAlFjaeIcIQa42fOzQv7k7FNs1V7xPSrZjmC6OJ7XTkJw7CAbeOOsmD > G4CVKbET4wW+ugx6GHF7yaM+CiE2CG6OuOH9A0kGKheO5IM2uKSlddZZCOHuMTxc > BWibFPJ8IcoHwlQgCB69P0283P9Mo8ZyyH5JrIaSP3HhbW0Vvj1wuv6KEm8247ZC > ie14uy60mJTLVnaxerg= > -----END CERTIFICATE----- > > > > PS: Is OCSP not checked with the verify tool? > > Best regards > Daniel Marschall > -- Daniel Marschall www.daniel-marschall.de +49 6223 488840 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
