[openssl-users] problems with s_client recognizing revoked intermediate/subordinate ca

Michael mihertz at gmx.de
Mon Mar 14 06:47:46 UTC 2016

> This is not a check of the intermediate certificate as an actual
> intermediate in a chain, this only checks it as a leaf certificate.
> Your entire chain is just:

>    root ---> revokedIntermediate

Yes - as a leaf of root, using the roots crl to see if any root-signed certs are revoked.

> Try:
>    openssl s_client -crl_check_all ...

Works! Great, thanks for the hint Viktor.
Just recognized, that the manpage lists the "crl_check_all" options right after the "crl_check", which i used... >_<

Using the crl_check_all it also complains about a missing crl now, when I remove the root's crl from the store.
This wasnt the case when using crl_check, which also wondered me a bit before.
Not it all makes sense :-)

Thanks again!

More information about the openssl-users mailing list