[openssl-users] problems with s_client recognizing revoked intermediate/subordinate ca

Jakob Bohm jb-openssl at wisemo.com
Thu Mar 10 21:41:28 UTC 2016

On 10/03/2016 20:11, michael at secure-mail.biz wrote:
> Hey openssl users,
> I am testing with revoking certificates.
> My PKI has a root and 2 intermediates, which then sign server and 
> client certificates
> My test environment consists of a s_client and a s_server referencing 
> the corresponding files and a verifydir with c_rehased files.
> TLS connections work fine from s_client to s_server, chain is exposed 
> and recognized properly.
> I successfully revoked server-certificates with the intermediate ca crl.
> When trying to connect using the s_client "-crl_check" arg the 
> "certificate revoked" notification shows up correctly.
> I also successfully created a crl with the root ca, that revokes one 
> of the intermediates.
> The serialnumber of the revoked intermediate is shown correctly in the 
> crl and the crl is c_rehashed in the verify dir of the client.
> But no matter what i try, the s_client does NOT show the "certificate 
> revoked" when I connect to the corresponding s_server using the 
> certificate signed by the revoked intermediate.
> Any ideas what i could be doing wrong?

Make sure the intermediary is not included in the "CA storage"
(hashed or single file) used by the client.  Anything in that
storage is considered valid and not checked for revocation or

> I am on version OpenSSL 1.0.1f 6 Jan 2014
That's a bit old.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list