[openssl-users] problems with s_client recognizing revoked intermediate/subordinate ca

mihertz at gmx.de mihertz at gmx.de
Fri Mar 11 09:38:19 UTC 2016

 >I am testing with revoking certificates.
 >My PKI has a root and 2 intermediates, which then sign server and 
client certificates
 >My test environment consists of a s_client and a s_server referencing 
the corresponding files and a verifydir with c_rehased files.
 >TLS connections work fine from s_client to s_server, chain is exposed 
and recognized properly.
 >I successfully revoked server-certificates with the intermediate ca crl.
 >When trying to connect using the s_client "-crl_check" arg the 
"certificate revoked" notification shows up correctly.
 >I also successfully created a crl with the root ca, that revokes one 
of the intermediates.
 >The serialnumber of the revoked intermediate is shown correctly in the 
crl and the crl is c_rehashed in the verify dir of the client.
 >But no matter what i try, the s_client does NOT show the "certificate 
revoked" when I connect to the corresponding s_server using the 
certificate signed by the revoked intermediate.
 >Any ideas what i could be doing wrong?
 >I am on version OpenSSL 1.0.1f 6 Jan 2014

Thanks for the answers and the time spend.
Sorry, did not mean to trigger a debate of principles :-)

In further tracking down the cause i was trying to use "openssl verify" 
When I issue the "openssl verify -CApath verifydir -crl_check 
revokedIntermediate.crt" the intermediate cert is correctly shown as 
revoked, so the content of the verifydir is fine I think.

Somehow s_client does not recognize that, when connecting to the 
corresponding s_server.

More information about the openssl-users mailing list