On Wed, Dec 5, 2012 at 12:18 PM, Jakob Bohm <jb-open...@wisemo.com> wrote: > On 12/5/2012 5:30 PM, Will Nordmeyer wrote: >> >> On Wed, Dec 5, 2012 at 11:22 AM, Dr. Stephen Henson <st...@openssl.org> >> wrote: >>> >>> On Wed, Dec 05, 2012, Will Nordmeyer wrote: >>> >>>> On Wed, Dec 5, 2012 at 10:47 AM, Dr. Stephen Henson <st...@openssl.org> >>>> wrote: >>>>> >>>>> On Wed, Dec 05, 2012, Will Nordmeyer wrote: >>>>> >>>>>> They are US. gov't certificates & CRLs, so providing them is a little >>>>>> complicated. Before I had the proper root & intermediate CAs loaded >>>>>> and hashed, I would get errors about missing certs in the chain. >>>>>> Similarly, before I loaded the CRL, it would have issues. >>>>>> >>>>>> The CERTs are in PEM formats, as well as the CRLs. >>>>>> >>>>> >>>>> I'd suggest you try a version of OpenSSL from the website to see if you >>>>> have >>>>> problems with that. >>>>> >>>>> Version "1.0.0-25" or "1.0.0-fips" is not a standard OpenSSL version. >>>>> >>>> I installed 1.0.1c (and verified it is the one being called). >>>> >>>> When I first reran the commands as I listed earlier, I got >>>> error 20 at 0 depth lookup:unable to get local issuer certificate >>>> >>>> I added -CApath /etc/ssl/certs and everything comes back OK again. >>> >>> >>> >>> Try a sanity check on a certificate, for example: >>> >>> openssl x509 -in TestForty_Expired.pem -noout -dates >>> >> OK... now I have insanity - >> >> openssl x509 -in TestFortyTwo_Expired.pem -noout -dates >> notBefore=Dec 30 18:09:39 2008 GMT >> notAfter=Dec 29 18:09:39 2014 GMT >> >> I have certificate 42 imported into my Internet Explorer browser, it >> indicates the validity dates as: >> IE tells me it is valid from 9/13/2011 to 9/14/2011 >> > Ok, try > > openssl x509 -n TestFortyTwo_Expired.pem -noout -text > > and compare all the details to what you see in IE. > > Maybe it is not the same certificate. > > >> Can I switch careers to basket weaving? > > > Nah, I think that got outsourced (back) to China too. > > > Enjoy > AH - found the issue... my TestFortyTwo_Expired.pem has 3 certs in it - the root cert, the intermediate cert and then the user cert.
I stripped out the root & intermediate cert from the PEM file and openssl now properly reports TestFortyTwo_Expired.pem as expired. I did the same clean up on TestThirtySeven_Revoked.pem - took out the root cert & the intermediate cert and then ran it through dates - dates are fine ... ran it through verify with the following command to see a revoked certificate response: # openssl verify -CApath /etc/ssl/certs -crl_check_all -verbose -purpose sslclient TestThirtySeven_Revoked.pem TestThirtySeven_Revoked.pem: OK ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org