Sorry, you're right. The cert-sign is okay, but the crl-sign cert
which is signed by cert-sign fails to verify the sig. We'd normally
suspect the CA that generated the certs, but (1) it verifies when we
use our hardware crypto; (2) it's not our CA. :)
So, we do believe there's a bug in openssl.
> Seems like it doesn't like that certificates signature. I've tried IE5
> on the same certificates and it also says cert-sign is OK but crl-sign
> has an invalid signature.
That's interesting, since we were told IE (probably 4 not 5) had no
problem. We'll check here.
/r$
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
