From: ejbca-support <ejb...@pr...> - 2013-02-08 15:37:52
|
On 2013-02-08 15:31, Alireza Karbasian wrote: > ok if we assume that this is just a printout issue in openssl so what's happenning to main certificates from ejbca? i used the PEM certificate downloaded from EJBCA and not the converted one with openssl. i send the ca chain and signed pdf so you can check it out! i see the error in adobe acrobat 9,10 and 11 ! Hi Alireza Could you check that the CRL does not verify with OpenSSL? I don't see any problems but the PDF didn't validate here either :-) Anders > > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ > *From:* ejbca-support <ejb...@pr...> > *To:* Alireza Karbasian <ili...@ya...>; ejb...@li... > *Sent:* Friday, February 8, 2013 3:48 PM > *Subject:* Re: [Ejbca-develop] Issuer mismatch error > > On 2013-02-08 13:05, Alireza Karbasian wrote: >> yes! this is what i guessed also! but the problem is this that i did not >> convert the certificates with openssl but i downloaded the PEM certificate >> from EJBCA and published CRL in CDP and same thing happens! >> is it possible that this is something related to PEM standard? > > No, this is just a printout formatting issue in OpenSSL. > Cheers > Anders > tech support >> >> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------ >> *From:* martijn.list <mar...@gm... <mailto:mar...@gm...>> >> *To:* ejb...@li... <mailto:ejb...@li...> >> *Sent:* Thursday, February 7, 2013 11:03 PM >> *Subject:* Re: [Ejbca-develop] Issuer mismatch error >> >> Hi, >> >> On 02/07/2013 08:12 PM, Alireza Karbasian wrote: >>> The attached file contains the test certificates. the certificate here >>> is not issued for pdf signing but this is the same thing that happens to >>> original certificates. >> >> Verification with OpenSSL seems to be ok after conversion of ca.cer to >> PEM (ca.cer.pem) >> >> openssl crl -in AdminCA1\(downloadedFromEJBCA\).crl -CAfile ca.cer.pem >> -inform DER >> >> martijn@coolermaster:~/temp/certs$ openssl crl -in >> AdminCA1\(downloadedFromEJBCA\).crl -CAfile ca.cer.pem -inform DER >> verify OK >> -----BEGIN X509 CRL----- >> MIICLDCCARQCAQEwDQYJKoZIhvcNAQEFBQAwNzERMA8GA1UEAwwIQWRtaW5DQTEx >> FTATBgNVBAoMDEVKQkNBIFNhbXBsZTELMAkGA1UEBhMCU0UXDTEzMDIwNzEyMzY0 >> N1oXDTEzMDIwODEyMzY0N1qggagwgaUwHwYDVR0jBBgwFoAU3BKuSh4TQDbsjtGJ >> S9LNaUfIO5gwCgYDVR0UBAMCAQIwdgYDVR0cBG8wbaBroGmGZ2h0dHA6Ly9pbGlh >> Y2EuaXI6ODA4MC9lamJjYS9wdWJsaWN3ZWIvd2ViZGlzdC9jZXJ0ZGlzdD9jbWQ9 >> Y3JsJmlzc3Vlcj1DTj1BZG1pbkNBMSxPPUVKQkNBJTIwU2FtcGxlLEM9U0UwDQYJ >> KoZIhvcNAQEFBQADggEBAHEj9XbM6634R2TtGOtSRGIpbML+/ZF9C/dLBxb76b21 >> 7cOdm/DGQ7u4cfaW5iU57RRYBXZCajE7xQWRj3yyMJGBm/pn+0IXNN50sjtO6VX2 >> AEwFtOVxvqSph8x7DDCUK3ZFQgmBgTouigqgKfM41ipamNn/Ri9IR0PxSxXfpo30 >> akCMYmN/gkmSxgZNzECzdc5kAe9mp+gRemoTZLLgZonzW/bD4H4i6jhrmzD/kCp9 >> i95y6jSZJR4sPMpSKJ7F8Pa8U0i1H0emBHVK+i9QPBDucH4CncZObm4O/MH7+H1p >> u3AjjVKUSWaKl419WOvL7FbXAbt0U2IVaBq5MTPgC9o= >> -----END X509 CRL----- >> >> So OpenSSL thinks the CRL is ok. My own application also thinks the CRL >> is ok. The issue with the extra space is an OpenSSL "issue". It seems >> that the code for x509 outputs an extra space after : but the code for >> crl does not. >> >> Kind regards, >> >> Martijn Brinkers >> >> >> -- >> DJIGZO email encryption >> >>> >>> ------------------------------------------------------------------------ >>> *From:* ejbca-support <ejb...@pr... <mailto:ejb...@pr...> <mailto:ejb...@pr... <mailto:ejb...@pr...>>> >>> *To:* Alireza Karbasian <ili...@ya... <mailto:ili...@ya...> <mailto:ili...@ya... <mailto:ili...@ya...>>>; >>> ejb...@li... <mailto:ejb...@li...> <mailto:ejb...@li... <mailto:ejb...@li...>> >>> *Sent:* Thursday, February 7, 2013 4:55 PM >>> *Subject:* Re: [Ejbca-develop] Issuer mismatch error >>> >>> On 2013-02-07 14:05, Alireza Karbasian wrote: >>> > hello >>> > >>> > I used EJBCA (4.0.13) to issue a certificate for PDF signing. >>> everything seemed good and documents got signed! now when I opens my PDF >>> in adobe reader it tries to validate certificate against the CRL with my >>> CDP. it can access it but it gives me an error that "Issuer names mismatch". >>> > I used these commands to check the issuer names: >>> >>>openssl x509 -in signing.pem -issuer -noout >>> >>>openssl crl -in crl.pem -issuer -noout >>> > >>> > and this is the output: >>> > openssl x509 -in test.pem -issuer -noout >>> > *issuer= /CN=AdminCA1/O=EJBCA Sample/C=SE* >>> > openssl crl -in crl.pem -issuer -noout >>> > *issuer=/CN=AdminCA1/O=EJBCA Sample/C=SE* >>> > ** >>> >>> Hi Alireza, >>> I have never heard about this before, can you send a >>> pasted certificate for us to study? >>> >>> Cheers >>> Anders >>> tech support >>> >>> >>> > as you can see there is space character in the beginning of >>> certificate issuer DN. I googled this and came to see there are some >>> discussions about this and assumed that this is a bug (in opnessl >>> maybe)! but no solutions! >>> > I could not find any related configuration in EJBCA to solve this and >>> yet I'm not sure even that this is a bug! did anybody encountered such a >>> problem? is this a bug in EJBCA? any help or guide will be appreciated! >>> > >>> > >>> > >>> ------------------------------------------------------------------------------ >>> > Free Next-Gen Firewall Hardware Offer >>> > Buy your Sophos next-gen firewall before the end March 2013 >>> > and get the hardware for free! Learn more. >>> > http://p.sf.net/sfu/sophos-d2d-feb >>> > >>> > >>> > >>> > _______________________________________________ >>> > Ejbca-develop mailing list >>> > Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>> >>> <mailto:Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>>> >>> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>> > >>> >>> >>> >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Free Next-Gen Firewall Hardware Offer >>> Buy your Sophos next-gen firewall before the end March 2013 >>> and get the hardware for free! Learn more. >>> http://p.sf.net/sfu/sophos-d2d-feb >>> >>> >>> >>> _______________________________________________ >>> Ejbca-develop mailing list >>> Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>> >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>> >> >> >> ------------------------------------------------------------------------------ >> Free Next-Gen Firewall Hardware Offer >> Buy your Sophos next-gen firewall before the end March 2013 >> and get the hardware for free! Learn more. >> http://p.sf.net/sfu/sophos-d2d-feb >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>> >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> >> >> >> >> ------------------------------------------------------------------------------ >> Free Next-Gen Firewall Hardware Offer >> Buy your Sophos next-gen firewall before the end March 2013 >> and get the hardware for free! Learn more. >> http://p.sf.net/sfu/sophos-d2d-feb >> >> >> >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... <mailto:Ejb...@li...> >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > > > > > > ------------------------------------------------------------------------------ > Free Next-Gen Firewall Hardware Offer > Buy your Sophos next-gen firewall before the end March 2013 > and get the hardware for free! Learn more. > http://p.sf.net/sfu/sophos-d2d-feb > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |