[openssl-users] problems with s_client recognizing revoked intermediate/subordinate ca
Viktor Dukhovni
openssl-users at dukhovni.org
Fri Mar 11 15:36:38 UTC 2016
On Fri, Mar 11, 2016 at 10:38:19AM +0100, mihertz at gmx.de wrote:
> In further tracking down the cause i was trying to use "openssl verify"
> commands.
> When I issue the "openssl verify -CApath verifydir -crl_check
> revokedIntermediate.crt" the intermediate cert is correctly shown as
> revoked, so the content of the verifydir is fine I think.
This is not a check of the intermediate certificate as an actual
intermediate in a chain, this only checks it as a leaf certificate.
Your entire chain is just:
root ---> revokedIntermediate
> Somehow s_client does not recognize that, when connecting to the
> corresponding s_server.
Try:
openssl s_client -crl_check_all ...
--
Viktor.
More information about the openssl-users
mailing list