[openssl-users] Verifying a timestamp signed using a cert issued by a sub CA (intermediate)

Dave Coombs dcoombs at carillon.ca
Tue Nov 14 14:04:41 UTC 2017 

Hi Marcus,

Try giving -CAfile a concatenated file with both CA certificates inside.

hulk:/tmp $ cat DSS* > chain.pem

hulk:/tmp $ openssl ts -verify -in /tmp/out10.tsp -queryfile /tmp/out10.tsq -CAfile chain.pem
Verification: OK

Cheers,
  -Dave


> On Nov 14, 2017, at 02:30, Marcus Lundblad <marcus.lundblad at primekey.com> wrote:
> 
> Hi!
> 
> I'm trying to verify a timestamp that was signed using a signer
> certificate that has been issued by an intermediate CA.
> I'm only able to verify when specifying the intermediate CA certificate
> as "-untrusted" and the root CA cert as "-CAfile":
> 
> openssl ts -verify -in /tmp/out10.tsp -queryfile /tmp/out10.tsq -CAfile
> res/test/dss10/DSSRootCA10.cacert.pem -untrusted
> res/test/dss10/DSSSubCA11.cacert.pem 
> Using configuration from /usr/lib/ssl/openssl.cnf
> Verification: OK
> 
> When running with just -CAfile pointing to the intermediate CA cert, I
> get:
> 
> Using configuration from /usr/lib/ssl/openssl.cnf
> Verification: FAILED
> 140693337339136:error:2F06D064:time stamp
> routines:ts_verify_cert:certificate verify
> error:../crypto/ts/ts_rsp_verify.c:182:Verify error:unable to get
> issuer certificate
> 
> And if setting -CAfile to point to the root CA cert:
> 
> Using configuration from /usr/lib/ssl/openssl.cnf
> Verification: FAILED
> 140228374308096:error:2F06D064:time stamp
> routines:ts_verify_cert:certificate verify
> error:../crypto/ts/ts_rsp_verify.c:182:Verify error:unable to get local
> issuer certificate
> 
> I'm thinking both these variants should have worked (the timestamp
> response is including the complete chain in the ESSCertID structure).
> 
> Attached are the CA certs, the signer cert (ts00003.pem), the query
> (out10.tsq), and the response (out10.tsp)
> 
> Regards,
> Marcus Lundblad<DSSRootCA10.cacert.pem><DSSSubCA11.cacert.pem><out10.tsp><out10.tsq><ts00003.pem>-- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list