[openssl-users] Verifying a timestamp signed using a cert issued by a sub CA (intermediate)
Marcus Lundblad
marcus.lundblad at primekey.com
Tue Nov 14 07:30:13 UTC 2017
Hi!
I'm trying to verify a timestamp that was signed using a signer
certificate that has been issued by an intermediate CA.
I'm only able to verify when specifying the intermediate CA certificate
as "-untrusted" and the root CA cert as "-CAfile":
openssl ts -verify -in /tmp/out10.tsp -queryfile /tmp/out10.tsq -CAfile
res/test/dss10/DSSRootCA10.cacert.pem -untrusted
res/test/dss10/DSSSubCA11.cacert.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Verification: OK
When running with just -CAfile pointing to the intermediate CA cert, I
get:
Using configuration from /usr/lib/ssl/openssl.cnf
Verification: FAILED
140693337339136:error:2F06D064:time stamp
routines:ts_verify_cert:certificate verify
error:../crypto/ts/ts_rsp_verify.c:182:Verify error:unable to get
issuer certificate
And if setting -CAfile to point to the root CA cert:
Using configuration from /usr/lib/ssl/openssl.cnf
Verification: FAILED
140228374308096:error:2F06D064:time stamp
routines:ts_verify_cert:certificate verify
error:../crypto/ts/ts_rsp_verify.c:182:Verify error:unable to get local
issuer certificate
I'm thinking both these variants should have worked (the timestamp
response is including the complete chain in the ESSCertID structure).
Attached are the CA certs, the signer cert (ts00003.pem), the query
(out10.tsq), and the response (out10.tsp)
Regards,
Marcus Lundblad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: DSSRootCA10.cacert.pem
Type: application/x-pem-file
Size: 7140 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171114/687548ef/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: DSSSubCA11.cacert.pem
Type: application/x-x509-ca-cert
Size: 1619 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171114/687548ef/attachment-0002.crt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: out10.tsp
Type: application/octet-stream
Size: 4336 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171114/687548ef/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: out10.tsq
Type: application/octet-stream
Size: 49 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171114/687548ef/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ts00003.pem
Type: application/x-x509-ca-cert
Size: 5200 bytes
Desc:
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171114/687548ef/attachment-0003.crt>
More information about the openssl-users
mailing list