[openssl-users] problems with s_client recognizing revoked intermediate/subordinate ca

Viktor Dukhovni openssl-users at dukhovni.org
Fri Mar 11 15:36:38 UTC 2016

On Fri, Mar 11, 2016 at 10:38:19AM +0100, mihertz at gmx.de wrote:

> In further tracking down the cause i was trying to use "openssl verify"
> commands.
> When I issue the "openssl verify -CApath verifydir -crl_check
> revokedIntermediate.crt" the intermediate cert is correctly shown as
> revoked, so the content of the verifydir is fine I think.

This is not a check of the intermediate certificate as an actual
intermediate in a chain, this only checks it as a leaf certificate.
Your entire chain is just:

    root ---> revokedIntermediate

> Somehow s_client does not recognize that, when connecting to the
> corresponding s_server.


    openssl s_client -crl_check_all ...


More information about the openssl-users mailing list