[openssl-users] problems with s_client recognizing revoked intermediate/subordinate ca
mihertz at gmx.de
Mon Mar 14 06:47:46 UTC 2016
> This is not a check of the intermediate certificate as an actual
> intermediate in a chain, this only checks it as a leaf certificate.
> Your entire chain is just:
> root ---> revokedIntermediate
Yes - as a leaf of root, using the roots crl to see if any root-signed certs are revoked.
> openssl s_client -crl_check_all ...
Works! Great, thanks for the hint Viktor.
Just recognized, that the manpage lists the "crl_check_all" options right after the "crl_check", which i used... >_<
Using the crl_check_all it also complains about a missing crl now, when I remove the root's crl from the store.
This wasnt the case when using crl_check, which also wondered me a bit before.
Not it all makes sense :-)
More information about the openssl-users