Rich Salz wrote:
>
> Sorry, you're right. The cert-sign is okay, but the crl-sign cert
> which is signed by cert-sign fails to verify the sig. We'd normally
> suspect the CA that generated the certs, but (1) it verifies when we
> use our hardware crypto; (2) it's not our CA. :)
>
> So, we do believe there's a bug in openssl.
>
You say crl-sign is signed by cert-sign? Thats odd, crl-sign should be
self-signed (issuer and subject names match).
> > Seems like it doesn't like that certificates signature. I've tried IE5
> > on the same certificates and it also says cert-sign is OK but crl-sign
> > has an invalid signature.
>
> That's interesting, since we were told IE (probably 4 not 5) had no
> problem. We'll check here.
>
There's some browsers that don't check the signature of self signed
certificates if you "trust" them. Netscape is one, I wouldn't be
surprised if IE4 didn't do the same (if it checks them at all).
However I've tried the certificate under Netscape 4.08 when the trust
flag is turned off and it gives a signature error too.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
