[openssl-users] Verifying a timestamp signed using a cert issued by a sub CA (intermediate)
Dave Coombs
dcoombs at carillon.ca
Tue Nov 14 14:04:41 UTC 2017
Hi Marcus,
Try giving -CAfile a concatenated file with both CA certificates inside.
hulk:/tmp $ cat DSS* > chain.pem
hulk:/tmp $ openssl ts -verify -in /tmp/out10.tsp -queryfile /tmp/out10.tsq -CAfile chain.pem
Verification: OK
Cheers,
-Dave
> On Nov 14, 2017, at 02:30, Marcus Lundblad <marcus.lundblad at primekey.com> wrote:
>
> Hi!
>
> I'm trying to verify a timestamp that was signed using a signer
> certificate that has been issued by an intermediate CA.
> I'm only able to verify when specifying the intermediate CA certificate
> as "-untrusted" and the root CA cert as "-CAfile":
>
> openssl ts -verify -in /tmp/out10.tsp -queryfile /tmp/out10.tsq -CAfile
> res/test/dss10/DSSRootCA10.cacert.pem -untrusted
> res/test/dss10/DSSSubCA11.cacert.pem
> Using configuration from /usr/lib/ssl/openssl.cnf
> Verification: OK
>
> When running with just -CAfile pointing to the intermediate CA cert, I
> get:
>
> Using configuration from /usr/lib/ssl/openssl.cnf
> Verification: FAILED
> 140693337339136:error:2F06D064:time stamp
> routines:ts_verify_cert:certificate verify
> error:../crypto/ts/ts_rsp_verify.c:182:Verify error:unable to get
> issuer certificate
>
> And if setting -CAfile to point to the root CA cert:
>
> Using configuration from /usr/lib/ssl/openssl.cnf
> Verification: FAILED
> 140228374308096:error:2F06D064:time stamp
> routines:ts_verify_cert:certificate verify
> error:../crypto/ts/ts_rsp_verify.c:182:Verify error:unable to get local
> issuer certificate
>
> I'm thinking both these variants should have worked (the timestamp
> response is including the complete chain in the ESSCertID structure).
>
> Attached are the CA certs, the signer cert (ts00003.pem), the query
> (out10.tsq), and the response (out10.tsp)
>
> Regards,
> Marcus Lundblad<DSSRootCA10.cacert.pem><DSSSubCA11.cacert.pem><out10.tsp><out10.tsq><ts00003.pem>--
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
More information about the openssl-users
mailing list