[openssl-users] OpenSSL - unable to get certificate CRL

Juergen Edner juergen at eisfair.org
Tue Oct 11 14:25:26 UTC 2016

I hope you can help me to understand why OpenSSL doesn't act as expected
when I try to verify a certificate chain.
On my server the certificate files are stored in the following
directory structure:

/usr/local/ssl/certs     -> certificate files
              /crl       -> CRL files
              /csr       ...

In both directories symbolic hash links are pointing to the
original files (.0 for certificates, .r0 for CRLs)

When I now execute the following command an "error 3 at 0 depth
lookup:unable to get certificate CRL" error is displayed.

# openssl verify -verbose -CApath /usr/local/ssl/certs -purpose any
-crl_check /usr/local/ssl/certs/cert-to-check.pem

Due to the fact that I couldn't explain this behaviour I used strace
for a deeper analysis and found out the the program searches the CRL
file in the ../certs directory instead of the ../crl one.

stat64("/usr/local/ssl/certs/95f6ee89.r0", 0xbfc2f3ac) = -1 ENOENT
(No such file or directory)

For test purposes I've created the symbolic link to the CRL at the
given location and the verification succeed and shows "OK".

Can anyone tell me if this is the normal behaviour or how I could
force OpenSSL to search the CRLs in the right directory?  Is there
any entry in the openssl.cnf file missing?


More information about the openssl-users mailing list