Menu
▾
▴
ejbca-develop
|
From: Alireza K. <ili...@ya...> - 2013-02-07 13:05:49
|
hello I used EJBCA (4.0.13) to issue a certificate for PDF signing. everything seemed good and documents got signed! now when I opens my PDF in adobe reader it tries to validate certificate against the CRL with my CDP. it can access it but it gives me an error that "Issuer names mismatch". I used these commands to check the issuer names: >>openssl x509 -in signing.pem -issuer -noout >>openssl crl -in crl.pem -issuer -noout and this is the output: openssl x509 -in test.pem -issuer -noout issuer= /CN=AdminCA1/O=EJBCA Sample/C=SE openssl crl -in crl.pem -issuer -noout issuer=/CN=AdminCA1/O=EJBCA Sample/C=SE as you can see there is space character in the beginning of certificate issuer DN. I googled this and came to see there are some discussions about this and assumed that this is a bug (in opnessl maybe)! but no solutions! I could not find any related configuration in EJBCA to solve this and yet I'm not sure even that this is a bug! did anybody encountered such a problem? is this a bug in EJBCA? any help or guide will be appreciated! |
|
From: ejbca-support <ejb...@pr...> - 2013-02-07 13:25:31
|
On 2013-02-07 14:05, Alireza Karbasian wrote: > hello > > I used EJBCA (4.0.13) to issue a certificate for PDF signing. everything seemed good and documents got signed! now when I opens my PDF in adobe reader it tries to validate certificate against the CRL with my CDP. it can access it but it gives me an error that "Issuer names mismatch". > I used these commands to check the issuer names: >>>openssl x509 -in signing.pem -issuer -noout >>>openssl crl -in crl.pem -issuer -noout > > and this is the output: > openssl x509 -in test.pem -issuer -noout > *issuer= /CN=AdminCA1/O=EJBCA Sample/C=SE* > openssl crl -in crl.pem -issuer -noout > *issuer=/CN=AdminCA1/O=EJBCA Sample/C=SE* > ** Hi Alireza, I have never heard about this before, can you send a pasted certificate for us to study? Cheers Anders tech support > as you can see there is space character in the beginning of certificate issuer DN. I googled this and came to see there are some discussions about this and assumed that this is a bug (in opnessl maybe)! but no solutions! > I could not find any related configuration in EJBCA to solve this and yet I'm not sure even that this is a bug! did anybody encountered such a problem? is this a bug in EJBCA? any help or guide will be appreciated! > > > ------------------------------------------------------------------------------ > Free Next-Gen Firewall Hardware Offer > Buy your Sophos next-gen firewall before the end March 2013 > and get the hardware for free! Learn more. > http://p.sf.net/sfu/sophos-d2d-feb > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Tomas G. <to...@pr...> - 2013-02-07 14:14:57
|
At least we know PDF signing with EJBCA issued certificates works in practice in a couple of places (in production). It looks to me a bug just in the display outout of openssl. Cheers, Tomas On 02/07/2013 02:25 PM, ejbca-support wrote: > On 2013-02-07 14:05, Alireza Karbasian wrote: >> hello >> >> I used EJBCA (4.0.13) to issue a certificate for PDF signing. everything seemed good and documents got signed! now when I opens my PDF in adobe reader it tries to validate certificate against the CRL with my CDP. it can access it but it gives me an error that "Issuer names mismatch". >> I used these commands to check the issuer names: >>>> openssl x509 -in signing.pem -issuer -noout >>>> openssl crl -in crl.pem -issuer -noout >> >> and this is the output: >> openssl x509 -in test.pem -issuer -noout >> *issuer= /CN=AdminCA1/O=EJBCA Sample/C=SE* >> openssl crl -in crl.pem -issuer -noout >> *issuer=/CN=AdminCA1/O=EJBCA Sample/C=SE* >> ** > > Hi Alireza, > I have never heard about this before, can you send a > pasted certificate for us to study? > > Cheers > Anders > tech support > > >> as you can see there is space character in the beginning of certificate issuer DN. I googled this and came to see there are some discussions about this and assumed that this is a bug (in opnessl maybe)! but no solutions! >> I could not find any related configuration in EJBCA to solve this and yet I'm not sure even that this is a bug! did anybody encountered such a problem? is this a bug in EJBCA? any help or guide will be appreciated! >> >> >> ------------------------------------------------------------------------------ >> Free Next-Gen Firewall Hardware Offer >> Buy your Sophos next-gen firewall before the end March 2013 >> and get the hardware for free! Learn more. >> http://p.sf.net/sfu/sophos-d2d-feb >> >> >> >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > > > ------------------------------------------------------------------------------ > Free Next-Gen Firewall Hardware Offer > Buy your Sophos next-gen firewall before the end March 2013 > and get the hardware for free! Learn more. > http://p.sf.net/sfu/sophos-d2d-feb > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: martijn.list <mar...@gm...> - 2013-02-08 12:17:55
|
On 02/08/2013 01:05 PM, Alireza Karbasian wrote: > yes! this is what i guessed also! but the problem is this that i did not > convert the certificates with openssl but i downloaded the PEM > certificate from EJBCA and published CRL in CDP and same thing happens! > is it possible that this is something related to PEM standard? a PEM encoded certificate is nothing more that a base64 encoded DER encoded certificate with some header and footer (-----BEGIN---- and -----END---- headers). Are you 100% certain that the CRL at the CRL dis. point is the correct CRL? Kind regards, Martijn > > ------------------------------------------------------------------------ > *From:* martijn.list <mar...@gm...> > *To:* ejb...@li... > *Sent:* Thursday, February 7, 2013 11:03 PM > *Subject:* Re: [Ejbca-develop] Issuer mismatch error > > Hi, > > On 02/07/2013 08:12 PM, Alireza Karbasian wrote: > > The attached file contains the test certificates. the certificate here > > is not issued for pdf signing but this is the same thing that happens to > > original certificates. > > Verification with OpenSSL seems to be ok after conversion of ca.cer to > PEM (ca.cer.pem) > > openssl crl -in AdminCA1\(downloadedFromEJBCA\).crl -CAfile ca.cer.pem > -inform DER > > martijn@coolermaster:~/temp/certs$ openssl crl -in > AdminCA1\(downloadedFromEJBCA\).crl -CAfile ca.cer.pem -inform DER > verify OK > -----BEGIN X509 CRL----- > MIICLDCCARQCAQEwDQYJKoZIhvcNAQEFBQAwNzERMA8GA1UEAwwIQWRtaW5DQTEx > FTATBgNVBAoMDEVKQkNBIFNhbXBsZTELMAkGA1UEBhMCU0UXDTEzMDIwNzEyMzY0 > N1oXDTEzMDIwODEyMzY0N1qggagwgaUwHwYDVR0jBBgwFoAU3BKuSh4TQDbsjtGJ > S9LNaUfIO5gwCgYDVR0UBAMCAQIwdgYDVR0cBG8wbaBroGmGZ2h0dHA6Ly9pbGlh > Y2EuaXI6ODA4MC9lamJjYS9wdWJsaWN3ZWIvd2ViZGlzdC9jZXJ0ZGlzdD9jbWQ9 > Y3JsJmlzc3Vlcj1DTj1BZG1pbkNBMSxPPUVKQkNBJTIwU2FtcGxlLEM9U0UwDQYJ > KoZIhvcNAQEFBQADggEBAHEj9XbM6634R2TtGOtSRGIpbML+/ZF9C/dLBxb76b21 > 7cOdm/DGQ7u4cfaW5iU57RRYBXZCajE7xQWRj3yyMJGBm/pn+0IXNN50sjtO6VX2 > AEwFtOVxvqSph8x7DDCUK3ZFQgmBgTouigqgKfM41ipamNn/Ri9IR0PxSxXfpo30 > akCMYmN/gkmSxgZNzECzdc5kAe9mp+gRemoTZLLgZonzW/bD4H4i6jhrmzD/kCp9 > i95y6jSZJR4sPMpSKJ7F8Pa8U0i1H0emBHVK+i9QPBDucH4CncZObm4O/MH7+H1p > u3AjjVKUSWaKl419WOvL7FbXAbt0U2IVaBq5MTPgC9o= > -----END X509 CRL----- > > So OpenSSL thinks the CRL is ok. My own application also thinks the CRL > is ok. The issue with the extra space is an OpenSSL "issue". It seems > that the code for x509 outputs an extra space after : but the code for > crl does not. > > Kind regards, > > Martijn Brinkers > > > -- > DJIGZO email encryption > > > > > ------------------------------------------------------------------------ > > *From:* ejbca-support <ejb...@pr... > <mailto:ejb...@pr...>> > > *To:* Alireza Karbasian <ili...@ya... > <mailto:ili...@ya...>>; > > ejb...@li... > <mailto:ejb...@li...> > > *Sent:* Thursday, February 7, 2013 4:55 PM > > *Subject:* Re: [Ejbca-develop] Issuer mismatch error > > > > On 2013-02-07 14:05, Alireza Karbasian wrote: > > > hello > > > > > > I used EJBCA (4.0.13) to issue a certificate for PDF signing. > > everything seemed good and documents got signed! now when I opens my PDF > > in adobe reader it tries to validate certificate against the CRL with my > > CDP. it can access it but it gives me an error that "Issuer names > mismatch". > > > I used these commands to check the issuer names: > > >>>openssl x509 -in signing.pem -issuer -noout > > >>>openssl crl -in crl.pem -issuer -noout > > > > > > and this is the output: > > > openssl x509 -in test.pem -issuer -noout > > > *issuer= /CN=AdminCA1/O=EJBCA Sample/C=SE* > > > openssl crl -in crl.pem -issuer -noout > > > *issuer=/CN=AdminCA1/O=EJBCA Sample/C=SE* > > > ** > > > > Hi Alireza, > > I have never heard about this before, can you send a > > pasted certificate for us to study? > > > > Cheers > > Anders > > tech support > > > > > > > as you can see there is space character in the beginning of > > certificate issuer DN. I googled this and came to see there are some > > discussions about this and assumed that this is a bug (in opnessl > > maybe)! but no solutions! > > > I could not find any related configuration in EJBCA to solve this and > > yet I'm not sure even that this is a bug! did anybody encountered such a > > problem? is this a bug in EJBCA? any help or guide will be appreciated! > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > Free Next-Gen Firewall Hardware Offer > > > Buy your Sophos next-gen firewall before the end March 2013 > > > and get the hardware for free! Learn more. > > > http://p.sf.net/sfu/sophos-d2d-feb > > > > > > > > > > > > _______________________________________________ > > > Ejbca-develop mailing list > > > Ejb...@li... > <mailto:Ejb...@li...> > > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > Free Next-Gen Firewall Hardware Offer > > Buy your Sophos next-gen firewall before the end March 2013 > > and get the hardware for free! Learn more. > > http://p.sf.net/sfu/sophos-d2d-feb > > > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > <mailto:Ejb...@li...> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > ------------------------------------------------------------------------------ > Free Next-Gen Firewall Hardware Offer > Buy your Sophos next-gen firewall before the end March 2013 > and get the hardware for free! Learn more. > http://p.sf.net/sfu/sophos-d2d-feb > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > <mailto:Ejb...@li...> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > ------------------------------------------------------------------------------ > Free Next-Gen Firewall Hardware Offer > Buy your Sophos next-gen firewall before the end March 2013 > and get the hardware for free! Learn more. > http://p.sf.net/sfu/sophos-d2d-feb > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > -- DJIGZO email encryption |
|
From: Alireza K. <ili...@ya...> - 2013-02-08 14:23:17
|
yes it's the correct CRL. there is a script that downloads CRL from EJBCA and copies it to remote ftp so it can be accessed by internet! ________________________________ From: martijn.list <mar...@gm...> To: ejb...@li... Sent: Friday, February 8, 2013 3:47 PM Subject: Re: [Ejbca-develop] Issuer mismatch error On 02/08/2013 01:05 PM, Alireza Karbasian wrote: > yes! this is what i guessed also! but the problem is this that i did not > convert the certificates with openssl but i downloaded the PEM > certificate from EJBCA and published CRL in CDP and same thing happens! > is it possible that this is something related to PEM standard? a PEM encoded certificate is nothing more that a base64 encoded DER encoded certificate with some header and footer (-----BEGIN---- and -----END---- headers). Are you 100% certain that the CRL at the CRL dis. point is the correct CRL? Kind regards, Martijn > > ------------------------------------------------------------------------ > *From:* martijn.list <mar...@gm...> > *To:* ejb...@li... > *Sent:* Thursday, February 7, 2013 11:03 PM > *Subject:* Re: [Ejbca-develop] Issuer mismatch error > > Hi, > > On 02/07/2013 08:12 PM, Alireza Karbasian wrote: > > The attached file contains the test certificates. the certificate here > > is not issued for pdf signing but this is the same thing that happens to > > original certificates. > > Verification with OpenSSL seems to be ok after conversion of ca.cer to > PEM (ca.cer.pem) > > openssl crl -in AdminCA1\(downloadedFromEJBCA\).crl -CAfile ca.cer.pem > -inform DER > > martijn@coolermaster:~/temp/certs$ openssl crl -in > AdminCA1\(downloadedFromEJBCA\).crl -CAfile ca.cer.pem -inform DER > verify OK > -----BEGIN X509 CRL----- > MIICLDCCARQCAQEwDQYJKoZIhvcNAQEFBQAwNzERMA8GA1UEAwwIQWRtaW5DQTEx > FTATBgNVBAoMDEVKQkNBIFNhbXBsZTELMAkGA1UEBhMCU0UXDTEzMDIwNzEyMzY0 > N1oXDTEzMDIwODEyMzY0N1qggagwgaUwHwYDVR0jBBgwFoAU3BKuSh4TQDbsjtGJ > S9LNaUfIO5gwCgYDVR0UBAMCAQIwdgYDVR0cBG8wbaBroGmGZ2h0dHA6Ly9pbGlh > Y2EuaXI6ODA4MC9lamJjYS9wdWJsaWN3ZWIvd2ViZGlzdC9jZXJ0ZGlzdD9jbWQ9 > Y3JsJmlzc3Vlcj1DTj1BZG1pbkNBMSxPPUVKQkNBJTIwU2FtcGxlLEM9U0UwDQYJ > KoZIhvcNAQEFBQADggEBAHEj9XbM6634R2TtGOtSRGIpbML+/ZF9C/dLBxb76b21 > 7cOdm/DGQ7u4cfaW5iU57RRYBXZCajE7xQWRj3yyMJGBm/pn+0IXNN50sjtO6VX2 > AEwFtOVxvqSph8x7DDCUK3ZFQgmBgTouigqgKfM41ipamNn/Ri9IR0PxSxXfpo30 > akCMYmN/gkmSxgZNzECzdc5kAe9mp+gRemoTZLLgZonzW/bD4H4i6jhrmzD/kCp9 > i95y6jSZJR4sPMpSKJ7F8Pa8U0i1H0emBHVK+i9QPBDucH4CncZObm4O/MH7+H1p > u3AjjVKUSWaKl419WOvL7FbXAbt0U2IVaBq5MTPgC9o= > -----END X509 CRL----- > > So OpenSSL thinks the CRL is ok. My own application also thinks the CRL > is ok. The issue with the extra space is an OpenSSL "issue". It seems > that the code for x509 outputs an extra space after : but the code for > crl does not. > > Kind regards, > > Martijn Brinkers > > > -- > DJIGZO email encryption > > > > > ------------------------------------------------------------------------ > > *From:* ejbca-support <ejb...@pr... > <mailto:ejb...@pr...>> > > *To:* Alireza Karbasian <ili...@ya... > <mailto:ili...@ya...>>; > > ejb...@li... > <mailto:ejb...@li...> > > *Sent:* Thursday, February 7, 2013 4:55 PM > > *Subject:* Re: [Ejbca-develop] Issuer mismatch error > > > > On 2013-02-07 14:05, Alireza Karbasian wrote: > > > hello > > > > > > I used EJBCA (4.0.13) to issue a certificate for PDF signing. > > everything seemed good and documents got signed! now when I opens my PDF > > in adobe reader it tries to validate certificate against the CRL with my > > CDP. it can access it but it gives me an error that "Issuer names > mismatch". > > > I used these commands to check the issuer names: > > >>>openssl x509 -in signing.pem -issuer -noout > > >>>openssl crl -in crl.pem -issuer -noout > > > > > > and this is the output: > > > openssl x509 -in test.pem -issuer -noout > > > *issuer= /CN=AdminCA1/O=EJBCA Sample/C=SE* > > > openssl crl -in crl.pem -issuer -noout > > > *issuer=/CN=AdminCA1/O=EJBCA Sample/C=SE* > > > ** > > > > Hi Alireza, > > I have never heard about this before, can you send a > > pasted certificate for us to study? > > > > Cheers > > Anders > > tech support > > > > > > > as you can see there is space character in the beginning of > > certificate issuer DN. I googled this and came to see there are some > > discussions about this and assumed that this is a bug (in opnessl > > maybe)! but no solutions! > > > I could not find any related configuration in EJBCA to solve this and > > yet I'm not sure even that this is a bug! did anybody encountered such a > > problem? is this a bug in EJBCA? any help or guide will be appreciated! > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > Free Next-Gen Firewall Hardware Offer > > > Buy your Sophos next-gen firewall before the end March 2013 > > > and get the hardware for free! Learn more. > > > http://p.sf.net/sfu/sophos-d2d-feb > > > > > > > > > > > > _______________________________________________ > > > Ejbca-develop mailing list > > > Ejb...@li... > <mailto:Ejb...@li...> > > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > Free Next-Gen Firewall Hardware Offer > > Buy your Sophos next-gen firewall before the end March 2013 > > and get the hardware for free! Learn more. > > http://p.sf.net/sfu/sophos-d2d-feb > > > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > <mailto:Ejb...@li...> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > ------------------------------------------------------------------------------ > Free Next-Gen Firewall Hardware Offer > Buy your Sophos next-gen firewall before the end March 2013 > and get the hardware for free! Learn more. > http://p.sf.net/sfu/sophos-d2d-feb > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > <mailto:Ejb...@li...> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > ------------------------------------------------------------------------------ > Free Next-Gen Firewall Hardware Offer > Buy your Sophos next-gen firewall before the end March 2013 > and get the hardware for free! Learn more. > http://p.sf.net/sfu/sophos-d2d-feb > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > -- DJIGZO email encryption ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Ejbca-develop mailing list Ejb...@li... https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
|
From: Alireza K. <ili...@ya...> - 2013-02-08 16:45:23
|
maybe this error is related to CDP address in ca cert! CDP is not mentioned in ca certificate but it's available in issued certificates. so when openssl wants to verify against CDP it can not find the address in ca certificate and it fails (maybe it grabs CDP from ca cert and not issued certificate)! but when you give it the CRL file it can verify it! but this does not seem to be "issuer mismatch" error cause! ________________________________ From: Tham Wickenberg <ejb...@pr...> To: Alireza Karbasian <ili...@ya...>; ejb...@li... Sent: Friday, February 8, 2013 7:44 PM Subject: Re: [Ejbca-develop] Issuer mismatch error Hello, * I curled the CRL from the CDP and the the CRL verifies with OpenSSL * I printed info in certificates, it looks good to me * I verified the certificate against CA chain but NOT CRL it checks out OK openssl verify -verbose -CAfile chain.pem certdownloadedFromEJBCA.pem certdownloadedFromEJBCA.pem: OK * I try to verify the certificate against CA AND CRL (CDP) and it fails openssl verify -verbose -crl_check -CAfile chain.pem certdownloadedFromEJBCA.pem certdownloadedFromEJBCA.pem: /CN=RooznamehRasmi/OU=rooznameh rasmi/O=JUD/C=IR error 3 at 0 depth lookup:unable to get certificate CRL I am unsure what this means however. /Tham Wickenberg On 2/8/13 4:37 PM, ejbca-support wrote: > On 2013-02-08 15:31, Alireza Karbasian wrote: >> ok if we assume that this is just a printout issue in openssl so what's happenning to main certificates from ejbca? i used the PEM certificate downloaded from EJBCA and not the converted one with openssl. i send the ca chain and signed pdf so you can check it out! i see the error in adobe acrobat 9,10 and 11 ! > Hi Alireza > Could you check that the CRL does not verify with OpenSSL? > I don't see any problems but the PDF didn't validate here either :-) > > Anders >> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------ >> *From:* ejbca-support <ejb...@pr...> >> *To:* Alireza Karbasian <ili...@ya...>; ejb...@li... >> *Sent:* Friday, February 8, 2013 3:48 PM >> *Subject:* Re: [Ejbca-develop] Issuer mismatch error >> >> On 2013-02-08 13:05, Alireza Karbasian wrote: >>> yes! this is what i guessed also! but the problem is this that i did not >>> convert the certificates with openssl but i downloaded the PEM certificate >>> from EJBCA and published CRL in CDP and same thing happens! >>> is it possible that this is something related to PEM standard? >> No, this is just a printout formatting issue in OpenSSL. >> Cheers >> Anders >> tech support >>> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------ >>> *From:* martijn.list <mar...@gm... <mailto:mar...@gm...>> >>> *To:* ejb...@li... <mailto:ejb...@li...> >>> *Sent:* Thursday, February 7, 2013 11:03 PM >>> *Subject:* Re: [Ejbca-develop] Issuer mismatch error >>> >>> Hi, >>> >>> On 02/07/2013 08:12 PM, Alireza Karbasian wrote: >>>> The attached file contains the test certificates. the certificate here >>>> is not issued for pdf signing but this is the same thing that happens to >>>> original certificates. >>> Verification with OpenSSL seems to be ok after conversion of ca.cer to >>> PEM (ca.cer.pem) >>> >>> openssl crl -in AdminCA1\(downloadedFromEJBCA\).crl -CAfile ca.cer.pem >>> -inform DER >>> >>> martijn@coolermaster:~/temp/certs$ openssl crl -in >>> AdminCA1\(downloadedFromEJBCA\).crl -CAfile ca.cer.pem -inform DER >>> verify OK >>> -----BEGIN X509 CRL----- >>> MIICLDCCARQCAQEwDQYJKoZIhvcNAQEFBQAwNzERMA8GA1UEAwwIQWRtaW5DQTEx >>> FTATBgNVBAoMDEVKQkNBIFNhbXBsZTELMAkGA1UEBhMCU0UXDTEzMDIwNzEyMzY0 >>> N1oXDTEzMDIwODEyMzY0N1qggagwgaUwHwYDVR0jBBgwFoAU3BKuSh4TQDbsjtGJ >>> S9LNaUfIO5gwCgYDVR0UBAMCAQIwdgYDVR0cBG8wbaBroGmGZ2h0dHA6Ly9pbGlh >>> Y2EuaXI6ODA4MC9lamJjYS9wdWJsaWN3ZWIvd2ViZGlzdC9jZXJ0ZGlzdD9jbWQ9 >>> Y3JsJmlzc3Vlcj1DTj1BZG1pbkNBMSxPPUVKQkNBJTIwU2FtcGxlLEM9U0UwDQYJ >>> KoZIhvcNAQEFBQADggEBAHEj9XbM6634R2TtGOtSRGIpbML+/ZF9C/dLBxb76b21 >>> 7cOdm/DGQ7u4cfaW5iU57RRYBXZCajE7xQWRj3yyMJGBm/pn+0IXNN50sjtO6VX2 >>> AEwFtOVxvqSph8x7DDCUK3ZFQgmBgTouigqgKfM41ipamNn/Ri9IR0PxSxXfpo30 >>> akCMYmN/gkmSxgZNzECzdc5kAe9mp+gRemoTZLLgZonzW/bD4H4i6jhrmzD/kCp9 >>> i95y6jSZJR4sPMpSKJ7F8Pa8U0i1H0emBHVK+i9QPBDucH4CncZObm4O/MH7+H1p >>> u3AjjVKUSWaKl419WOvL7FbXAbt0U2IVaBq5MTPgC9o= >>> -----END X509 CRL----- >>> >>> So OpenSSL thinks the CRL is ok. My own application also thinks the CRL >>> is ok. The issue with the extra space is an OpenSSL "issue". It seems >>> that the code for x509 outputs an extra space after : but the code for >>> crl does not. >>> >>> Kind regards, >>> >>> Martijn Brinkers >>> >>> >>> -- >>> DJIGZO email encryption >>> >>>> ------------------------------------------------------------------------ >>>> *From:* ejbca-support <ejb...@pr... <mailto:ejb...@pr...> <mailto:ejb...@pr... <mailto:ejb...@pr...>>> >>>> *To:* Alireza Karbasian <ili...@ya... <mailto:ili...@ya...> <mailto:ili...@ya... <mailto:ili...@ya...>>>; >>>> ejb...@li... <mailto:ejb...@li...> <mailto:ejb...@li... <mailto:ejb...@li...>> >>>> *Sent:* Thursday, February 7, 2013 4:55 PM >>>> *Subject:* Re: [Ejbca-develop] Issuer mismatch error >>>> >>>> On 2013-02-07 14:05, Alireza Karbasian wrote: >>>> > hello >>>> > >>>> > I used EJBCA (4.0.13) to issue a certificate for PDF signing. >>>> everything seemed good and documents got signed! now when I opens my PDF >>>> in adobe reader it tries to validate certificate against the CRL with my >>>> CDP. it can access it but it gives me an error that "Issuer names mismatch". >>>> > I used these commands to check the issuer names: >>>> >>>openssl x509 -in signing.pem -issuer -noout >>>> >>>openssl crl -in crl.pem -issuer -noout >>>> > >>>> > and this is the output: >>>> > openssl x509 -in test.pem -issuer -noout >>>> > *issuer= /CN=AdminCA1/O=EJBCA Sample/C=SE* >>>> > openssl crl -in crl.pem -issuer -noout >>>> > *issuer=/CN=AdminCA1/O=EJBCA Sample/C=SE* >>>> > ** >>>> >>>> Hi Alireza, >>>> I have never heard about this before, can you send a >>>> pasted certificate for us to study? >>>> >>>> Cheers >>>> Anders >>>> tech support >>>> >>>> >>>> > as you can see there is space character in the beginning of >>>> certificate issuer DN. I googled this and came to see there are some >>>> discussions about this and assumed that this is a bug (in opnessl >>>> maybe)! but no solutions! >>>> > I could not find any related configuration in EJBCA to solve this and >>>> yet I'm not sure even that this is a bug! did anybody encountered such a >>>> problem? is this a bug in EJBCA? any help or guide will be appreciated! >>>> > >>>> > >>>> > >>>> ------------------------------------------------------------------------------ >>>> > Free Next-Gen Firewall Hardware Offer >>>> > Buy your Sophos next-gen firewall before the end March 2013 >>>> > and get the hardware for free! Learn more. >>>> > http://p.sf.net/sfu/sophos-d2d-feb >>>> > >>>> > >>>> > >>>> > _______________________________________________ >>>> > Ejbca-develop mailing list >>>> > Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>> >>>> <mailto:Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>>> >>>> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>> > >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Free Next-Gen Firewall Hardware Offer >>>> Buy your Sophos next-gen firewall before the end March 2013 >>>> and get the hardware for free! Learn more. >>>> http://p.sf.net/sfu/sophos-d2d-feb >>>> >>>> >>>> >>>> _______________________________________________ >>>> Ejbca-develop mailing list >>>> Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>> >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>> >>> >>> ------------------------------------------------------------------------------ >>> Free Next-Gen Firewall Hardware Offer >>> Buy your Sophos next-gen firewall before the end March 2013 >>> and get the hardware for free! Learn more. >>> http://p.sf.net/sfu/sophos-d2d-feb >>> _______________________________________________ >>> Ejbca-develop mailing list >>> Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>> >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Free Next-Gen Firewall Hardware Offer >>> Buy your Sophos next-gen firewall before the end March 2013 >>> and get the hardware for free! Learn more. >>> http://p.sf.net/sfu/sophos-d2d-feb >>> >>> >>> >>> _______________________________________________ >>> Ejbca-develop mailing list >>> Ejb...@li... <mailto:Ejb...@li...> >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>> >> >> >> >> >> ------------------------------------------------------------------------------ >> Free Next-Gen Firewall Hardware Offer >> Buy your Sophos next-gen firewall before the end March 2013 >> and get the hardware for free! Learn more. >> http://p.sf.net/sfu/sophos-d2d-feb >> >> >> >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > > ------------------------------------------------------------------------------ > Free Next-Gen Firewall Hardware Offer > Buy your Sophos next-gen firewall before the end March 2013 > and get the hardware for free! Learn more. > http://p.sf.net/sfu/sophos-d2d-feb > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
|
From: Alireza K. <ili...@ya...> - 2013-02-09 13:37:33
|
Well I figured out the problem and i thought to explain it here maybe it can help someone! in fact the problem was with crl issuer filed in certificate profiles under CDP Address! if you generate this field it will appear in certificate under CDP as Directory access info! now the bug or mistake is with adobe reader! it compares this filed with certificate (or CRL) issuer and generates an "issuer mismatch" error! but it must compare for example cert.authorityKeyIdentifier=crl.authortyKeyIdentifier=ca.subjectKeyIdentifier I removed this filed and it's working! ________________________________ From: Tham Wickenberg <ejb...@pr...> To: Alireza Karbasian <ili...@ya...>; ejb...@li... Sent: Friday, February 8, 2013 7:44 PM Subject: Re: [Ejbca-develop] Issuer mismatch error Hello, * I curled the CRL from the CDP and the the CRL verifies with OpenSSL * I printed info in certificates, it looks good to me * I verified the certificate against CA chain but NOT CRL it checks out OK openssl verify -verbose -CAfile chain.pem certdownloadedFromEJBCA.pem certdownloadedFromEJBCA.pem: OK * I try to verify the certificate against CA AND CRL (CDP) and it fails openssl verify -verbose -crl_check -CAfile chain.pem certdownloadedFromEJBCA.pem certdownloadedFromEJBCA.pem: /CN=RooznamehRasmi/OU=rooznameh rasmi/O=JUD/C=IR error 3 at 0 depth lookup:unable to get certificate CRL I am unsure what this means however. /Tham Wickenberg On 2/8/13 4:37 PM, ejbca-support wrote: > On 2013-02-08 15:31, Alireza Karbasian wrote: >> ok if we assume that this is just a printout issue in openssl so what's happenning to main certificates from ejbca? i used the PEM certificate downloaded from EJBCA and not the converted one with openssl. i send the ca chain and signed pdf so you can check it out! i see the error in adobe acrobat 9,10 and 11 ! > Hi Alireza > Could you check that the CRL does not verify with OpenSSL? > I don't see any problems but the PDF didn't validate here either :-) > > Anders >> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------ >> *From:* ejbca-support <ejb...@pr...> >> *To:* Alireza Karbasian <ili...@ya...>; ejb...@li... >> *Sent:* Friday, February 8, 2013 3:48 PM >> *Subject:* Re: [Ejbca-develop] Issuer mismatch error >> >> On 2013-02-08 13:05, Alireza Karbasian wrote: >>> yes! this is what i guessed also! but the problem is this that i did not >>> convert the certificates with openssl but i downloaded the PEM certificate >>> from EJBCA and published CRL in CDP and same thing happens! >>> is it possible that this is something related to PEM standard? >> No, this is just a printout formatting issue in OpenSSL. >> Cheers >> Anders >> tech support >>> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------ >>> *From:* martijn.list <mar...@gm... <mailto:mar...@gm...>> >>> *To:* ejb...@li... <mailto:ejb...@li...> >>> *Sent:* Thursday, February 7, 2013 11:03 PM >>> *Subject:* Re: [Ejbca-develop] Issuer mismatch error >>> >>> Hi, >>> >>> On 02/07/2013 08:12 PM, Alireza Karbasian wrote: >>>> The attached file contains the test certificates. the certificate here >>>> is not issued for pdf signing but this is the same thing that happens to >>>> original certificates. >>> Verification with OpenSSL seems to be ok after conversion of ca.cer to >>> PEM (ca.cer.pem) >>> >>> openssl crl -in AdminCA1\(downloadedFromEJBCA\).crl -CAfile ca.cer.pem >>> -inform DER >>> >>> martijn@coolermaster:~/temp/certs$ openssl crl -in >>> AdminCA1\(downloadedFromEJBCA\).crl -CAfile ca.cer.pem -inform DER >>> verify OK >>> -----BEGIN X509 CRL----- >>> MIICLDCCARQCAQEwDQYJKoZIhvcNAQEFBQAwNzERMA8GA1UEAwwIQWRtaW5DQTEx >>> FTATBgNVBAoMDEVKQkNBIFNhbXBsZTELMAkGA1UEBhMCU0UXDTEzMDIwNzEyMzY0 >>> N1oXDTEzMDIwODEyMzY0N1qggagwgaUwHwYDVR0jBBgwFoAU3BKuSh4TQDbsjtGJ >>> S9LNaUfIO5gwCgYDVR0UBAMCAQIwdgYDVR0cBG8wbaBroGmGZ2h0dHA6Ly9pbGlh >>> Y2EuaXI6ODA4MC9lamJjYS9wdWJsaWN3ZWIvd2ViZGlzdC9jZXJ0ZGlzdD9jbWQ9 >>> Y3JsJmlzc3Vlcj1DTj1BZG1pbkNBMSxPPUVKQkNBJTIwU2FtcGxlLEM9U0UwDQYJ >>> KoZIhvcNAQEFBQADggEBAHEj9XbM6634R2TtGOtSRGIpbML+/ZF9C/dLBxb76b21 >>> 7cOdm/DGQ7u4cfaW5iU57RRYBXZCajE7xQWRj3yyMJGBm/pn+0IXNN50sjtO6VX2 >>> AEwFtOVxvqSph8x7DDCUK3ZFQgmBgTouigqgKfM41ipamNn/Ri9IR0PxSxXfpo30 >>> akCMYmN/gkmSxgZNzECzdc5kAe9mp+gRemoTZLLgZonzW/bD4H4i6jhrmzD/kCp9 >>> i95y6jSZJR4sPMpSKJ7F8Pa8U0i1H0emBHVK+i9QPBDucH4CncZObm4O/MH7+H1p >>> u3AjjVKUSWaKl419WOvL7FbXAbt0U2IVaBq5MTPgC9o= >>> -----END X509 CRL----- >>> >>> So OpenSSL thinks the CRL is ok. My own application also thinks the CRL >>> is ok. The issue with the extra space is an OpenSSL "issue". It seems >>> that the code for x509 outputs an extra space after : but the code for >>> crl does not. >>> >>> Kind regards, >>> >>> Martijn Brinkers >>> >>> >>> -- >>> DJIGZO email encryption >>> >>>> ------------------------------------------------------------------------ >>>> *From:* ejbca-support <ejb...@pr... <mailto:ejb...@pr...> <mailto:ejb...@pr... <mailto:ejb...@pr...>>> >>>> *To:* Alireza Karbasian <ili...@ya... <mailto:ili...@ya...> <mailto:ili...@ya... <mailto:ili...@ya...>>>; >>>> ejb...@li... <mailto:ejb...@li...> <mailto:ejb...@li... <mailto:ejb...@li...>> >>>> *Sent:* Thursday, February 7, 2013 4:55 PM >>>> *Subject:* Re: [Ejbca-develop] Issuer mismatch error >>>> >>>> On 2013-02-07 14:05, Alireza Karbasian wrote: >>>> > hello >>>> > >>>> > I used EJBCA (4.0.13) to issue a certificate for PDF signing. >>>> everything seemed good and documents got signed! now when I opens my PDF >>>> in adobe reader it tries to validate certificate against the CRL with my >>>> CDP. it can access it but it gives me an error that "Issuer names mismatch". >>>> > I used these commands to check the issuer names: >>>> >>>openssl x509 -in signing.pem -issuer -noout >>>> >>>openssl crl -in crl.pem -issuer -noout >>>> > >>>> > and this is the output: >>>> > openssl x509 -in test.pem -issuer -noout >>>> > *issuer= /CN=AdminCA1/O=EJBCA Sample/C=SE* >>>> > openssl crl -in crl.pem -issuer -noout >>>> > *issuer=/CN=AdminCA1/O=EJBCA Sample/C=SE* >>>> > ** >>>> >>>> Hi Alireza, >>>> I have never heard about this before, can you send a >>>> pasted certificate for us to study? >>>> >>>> Cheers >>>> Anders >>>> tech support >>>> >>>> >>>> > as you can see there is space character in the beginning of >>>> certificate issuer DN. I googled this and came to see there are some >>>> discussions about this and assumed that this is a bug (in opnessl >>>> maybe)! but no solutions! >>>> > I could not find any related configuration in EJBCA to solve this and >>>> yet I'm not sure even that this is a bug! did anybody encountered such a >>>> problem? is this a bug in EJBCA? any help or guide will be appreciated! >>>> > >>>> > >>>> > >>>> ------------------------------------------------------------------------------ >>>> > Free Next-Gen Firewall Hardware Offer >>>> > Buy your Sophos next-gen firewall before the end March 2013 >>>> > and get the hardware for free! Learn more. >>>> > http://p.sf.net/sfu/sophos-d2d-feb >>>> > >>>> > >>>> > >>>> > _______________________________________________ >>>> > Ejbca-develop mailing list >>>> > Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>> >>>> <mailto:Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>>> >>>> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>> > >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Free Next-Gen Firewall Hardware Offer >>>> Buy your Sophos next-gen firewall before the end March 2013 >>>> and get the hardware for free! Learn more. >>>> http://p.sf.net/sfu/sophos-d2d-feb >>>> >>>> >>>> >>>> _______________________________________________ >>>> Ejbca-develop mailing list >>>> Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>> >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>> >>> >>> ------------------------------------------------------------------------------ >>> Free Next-Gen Firewall Hardware Offer >>> Buy your Sophos next-gen firewall before the end March 2013 >>> and get the hardware for free! Learn more. >>> http://p.sf.net/sfu/sophos-d2d-feb >>> _______________________________________________ >>> Ejbca-develop mailing list >>> Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>> >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Free Next-Gen Firewall Hardware Offer >>> Buy your Sophos next-gen firewall before the end March 2013 >>> and get the hardware for free! Learn more. >>> http://p.sf.net/sfu/sophos-d2d-feb >>> >>> >>> >>> _______________________________________________ >>> Ejbca-develop mailing list >>> Ejb...@li... <mailto:Ejb...@li...> >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>> >> >> >> >> >> ------------------------------------------------------------------------------ >> Free Next-Gen Firewall Hardware Offer >> Buy your Sophos next-gen firewall before the end March 2013 >> and get the hardware for free! Learn more. >> http://p.sf.net/sfu/sophos-d2d-feb >> >> >> >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > > ------------------------------------------------------------------------------ > Free Next-Gen Firewall Hardware Offer > Buy your Sophos next-gen firewall before the end March 2013 > and get the hardware for free! Learn more. > http://p.sf.net/sfu/sophos-d2d-feb > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Ejbca-develop mailing list Ejb...@li... https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
|
From: Andreas B. <ab...@an...> - 2013-02-09 15:14:12
Attachments:
smime.p7s
|
Dear Alireza Am 09.02.2013 14:37, schrieb Alireza Karbasian: > > Well I figured out the problem and i thought to explain it here maybe it > can help someone! Great you share your findings and learnings with this list ! This is, what I call F/OSS spirit and helps to promote and improve EJBCA at the end of the day. Thanks again. cheeers, h. > ------------------------------------------------------------------------ > *From:* Tham Wickenberg <ejb...@pr...> > *To:* Alireza Karbasian <ili...@ya...>; > ejb...@li... > *Sent:* Friday, February 8, 2013 7:44 PM > *Subject:* Re: [Ejbca-develop] Issuer mismatch error > > Hello, > > * I curled the CRL from the CDP and the the CRL verifies with OpenSSL > > * I printed info in certificates, it looks good to me > > * I verified the certificate against CA chain but NOT CRL it checks out OK > openssl verify -verbose -CAfile chain.pem certdownloadedFromEJBCA.pem > > certdownloadedFromEJBCA.pem: OK > > * I try to verify the certificate against CA AND CRL (CDP) and it fails > openssl verify -verbose -crl_check -CAfile chain.pem > certdownloadedFromEJBCA.pem > > certdownloadedFromEJBCA.pem: /CN=RooznamehRasmi/OU=rooznameh > rasmi/O=JUD/C=IR > error 3 at 0 depth lookup:unable to get certificate CRL > > I am unsure what this means however. > > /Tham Wickenberg > > > On 2/8/13 4:37 PM, ejbca-support wrote: >> On 2013-02-08 15:31, Alireza Karbasian wrote: >>> ok if we assume that this is just a printout issue in openssl so > what's happenning to main certificates from ejbca? i used the PEM > certificate downloaded from EJBCA and not the converted one with > openssl. i send the ca chain and signed pdf so you can check it out! i > see the error in adobe acrobat 9,10 and 11 ! >> Hi Alireza >> Could you check that the CRL does not verify with OpenSSL? >> I don't see any problems but the PDF didn't validate here either :-) >> >> Anders >>> > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ > ------------------------ >>> *From:* ejbca-support <ejb...@pr... > <mailto:ejb...@pr...>> >>> *To:* Alireza Karbasian <ili...@ya... > <mailto:ili...@ya...>>; ejb...@li... > <mailto:ejb...@li...> >>> *Sent:* Friday, February 8, 2013 3:48 PM >>> *Subject:* Re: [Ejbca-develop] Issuer mismatch error >>> >>> On 2013-02-08 13:05, Alireza Karbasian wrote: >>>> yes! this is what i guessed also! but the problem is this that i did not >>>> convert the certificates with openssl but i downloaded the PEM > certificate >>>> from EJBCA and published CRL in CDP and same thing happens! >>>> is it possible that this is something related to PEM standard? >>> No, this is just a printout formatting issue in OpenSSL. >>> Cheers >>> Anders >>> tech support >>>> > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ > ------------------------ >>>> *From:* martijn.list <mar...@gm... > <mailto:mar...@gm...> <mailto:mar...@gm... > <mailto:mar...@gm...>>> >>>> *To:* ejb...@li... > <mailto:ejb...@li...> > <mailto:ejb...@li... > <mailto:ejb...@li...>> >>>> *Sent:* Thursday, February 7, 2013 11:03 PM >>>> *Subject:* Re: [Ejbca-develop] Issuer mismatch error >>>> >>>> Hi, >>>> >>>> On 02/07/2013 08:12 PM, Alireza Karbasian wrote: >>>>> The attached file contains the test certificates. the certificate here >>>>> is not issued for pdf signing but this is the same thing that > happens to >>>>> original certificates. >>>> Verification with OpenSSL seems to be ok after conversion of ca.cer to >>>> PEM (ca.cer.pem) >>>> >>>> openssl crl -in AdminCA1\(downloadedFromEJBCA\).crl -CAfile ca.cer.pem >>>> -inform DER >>>> >>>> martijn@coolermaster:~/temp/certs$ openssl crl -in >>>> AdminCA1\(downloadedFromEJBCA\).crl -CAfile ca.cer.pem -inform DER >>>> verify OK >>>> -----BEGIN X509 CRL----- >>>> MIICLDCCARQCAQEwDQYJKoZIhvcNAQEFBQAwNzERMA8GA1UEAwwIQWRtaW5DQTEx >>>> FTATBgNVBAoMDEVKQkNBIFNhbXBsZTELMAkGA1UEBhMCU0UXDTEzMDIwNzEyMzY0 >>>> N1oXDTEzMDIwODEyMzY0N1qggagwgaUwHwYDVR0jBBgwFoAU3BKuSh4TQDbsjtGJ >>>> S9LNaUfIO5gwCgYDVR0UBAMCAQIwdgYDVR0cBG8wbaBroGmGZ2h0dHA6Ly9pbGlh >>>> Y2EuaXI6ODA4MC9lamJjYS9wdWJsaWN3ZWIvd2ViZGlzdC9jZXJ0ZGlzdD9jbWQ9 >>>> Y3JsJmlzc3Vlcj1DTj1BZG1pbkNBMSxPPUVKQkNBJTIwU2FtcGxlLEM9U0UwDQYJ >>>> KoZIhvcNAQEFBQADggEBAHEj9XbM6634R2TtGOtSRGIpbML+/ZF9C/dLBxb76b21 >>>> 7cOdm/DGQ7u4cfaW5iU57RRYBXZCajE7xQWRj3yyMJGBm/pn+0IXNN50sjtO6VX2 >>>> AEwFtOVxvqSph8x7DDCUK3ZFQgmBgTouigqgKfM41ipamNn/Ri9IR0PxSxXfpo30 >>>> akCMYmN/gkmSxgZNzECzdc5kAe9mp+gRemoTZLLgZonzW/bD4H4i6jhrmzD/kCp9 >>>> i95y6jSZJR4sPMpSKJ7F8Pa8U0i1H0emBHVK+i9QPBDucH4CncZObm4O/MH7+H1p >>>> u3AjjVKUSWaKl419WOvL7FbXAbt0U2IVaBq5MTPgC9o= >>>> -----END X509 CRL----- >>>> >>>> So OpenSSL thinks the CRL is ok. My own application also thinks the CRL >>>> is ok. The issue with the extra space is an OpenSSL "issue". It seems >>>> that the code for x509 outputs an extra space after : but the code for >>>> crl does not. >>>> >>>> Kind regards, >>>> >>>> Martijn Brinkers >>>> >>>> >>>> -- >>>> DJIGZO email encryption >>>> >>>>> > ------------------------------------------------------------------------ >>>>> *From:* ejbca-support <ejb...@pr... > <mailto:ejb...@pr...> <mailto:ejb...@pr... > <mailto:ejb...@pr...>> <mailto:ejb...@pr... > <mailto:ejb...@pr...> <mailto:ejb...@pr... > <mailto:ejb...@pr...>>>> >>>>> *To:* Alireza Karbasian <ili...@ya... > <mailto:ili...@ya...> <mailto:ili...@ya... > <mailto:ili...@ya...>> <mailto:ili...@ya... > <mailto:ili...@ya...> <mailto:ili...@ya... > <mailto:ili...@ya...>>>>; >>>>> ejb...@li... > <mailto:ejb...@li...> > <mailto:ejb...@li... > <mailto:ejb...@li...>> > <mailto:ejb...@li... > <mailto:ejb...@li...> > <mailto:ejb...@li... > <mailto:ejb...@li...>>> >>>>> *Sent:* Thursday, February 7, 2013 4:55 PM >>>>> *Subject:* Re: [Ejbca-develop] Issuer mismatch error >>>>> >>>>> On 2013-02-07 14:05, Alireza Karbasian wrote: >>>>> > hello >>>>> > >>>>> > I used EJBCA (4.0.13) to issue a certificate for PDF signing. >>>>> everything seemed good and documents got signed! now when I opens > my PDF >>>>> in adobe reader it tries to validate certificate against the CRL > with my >>>>> CDP. it can access it but it gives me an error that "Issuer names > mismatch". >>>>> > I used these commands to check the issuer names: >>>>> >>>openssl x509 -in signing.pem -issuer -noout >>>>> >>>openssl crl -in crl.pem -issuer -noout >>>>> > >>>>> > and this is the output: >>>>> > openssl x509 -in test.pem -issuer -noout >>>>> > *issuer= /CN=AdminCA1/O=EJBCA Sample/C=SE* >>>>> > openssl crl -in crl.pem -issuer -noout >>>>> > *issuer=/CN=AdminCA1/O=EJBCA Sample/C=SE* >>>>> > ** >>>>> >>>>> Hi Alireza, >>>>> I have never heard about this before, can you send a >>>>> pasted certificate for us to study? >>>>> >>>>> Cheers >>>>> Anders >>>>> tech support >>>>> >>>>> >>>>> > as you can see there is space character in the beginning of >>>>> certificate issuer DN. I googled this and came to see there are some >>>>> discussions about this and assumed that this is a bug (in opnessl >>>>> maybe)! but no solutions! >>>>> > I could not find any related configuration in EJBCA to solve > this and >>>>> yet I'm not sure even that this is a bug! did anybody encountered > such a >>>>> problem? is this a bug in EJBCA? any help or guide will be appreciated! >>>>> > >>>>> > >>>>> > >>>>> > ------------------------------------------------------------------------------ >>>>> > Free Next-Gen Firewall Hardware Offer >>>>> > Buy your Sophos next-gen firewall before the end March 2013 >>>>> > and get the hardware for free! Learn more. >>>>> > http://p.sf.net/sfu/sophos-d2d-feb >>>>> > >>>>> > >>>>> > >>>>> > _______________________________________________ >>>>> > Ejbca-develop mailing list >>>>> > Ejb...@li... > <mailto:Ejb...@li...> > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > <mailto:Ejb...@li... > <mailto:Ejb...@li...> > <mailto:Ejb...@li... > <mailto:Ejb...@li...>>> >>>>> <mailto:Ejb...@li... > <mailto:Ejb...@li...> > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > <mailto:Ejb...@li... > <mailto:Ejb...@li...> > <mailto:Ejb...@li... > <mailto:Ejb...@li...>>>> >>>>> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>> > >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> > ------------------------------------------------------------------------------ >>>>> Free Next-Gen Firewall Hardware Offer >>>>> Buy your Sophos next-gen firewall before the end March 2013 >>>>> and get the hardware for free! Learn more. >>>>> http://p.sf.net/sfu/sophos-d2d-feb >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Ejbca-develop mailing list >>>>> Ejb...@li... > <mailto:Ejb...@li...> > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > <mailto:Ejb...@li... > <mailto:Ejb...@li...> > <mailto:Ejb...@li... > <mailto:Ejb...@li...>>> >>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>> >>>> >>>> > ------------------------------------------------------------------------------ >>>> Free Next-Gen Firewall Hardware Offer >>>> Buy your Sophos next-gen firewall before the end March 2013 >>>> and get the hardware for free! Learn more. >>>> http://p.sf.net/sfu/sophos-d2d-feb >>>> _______________________________________________ >>>> Ejbca-develop mailing list >>>> Ejb...@li... > <mailto:Ejb...@li...> > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > <mailto:Ejb...@li... > <mailto:Ejb...@li...> > <mailto:Ejb...@li... > <mailto:Ejb...@li...>>> >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>> >>>> >>>> >>>> >>>> > ------------------------------------------------------------------------------ >>>> Free Next-Gen Firewall Hardware Offer >>>> Buy your Sophos next-gen firewall before the end March 2013 >>>> and get the hardware for free! Learn more. >>>> http://p.sf.net/sfu/sophos-d2d-feb >>>> >>>> >>>> >>>> _______________________________________________ >>>> Ejbca-develop mailing list >>>> Ejb...@li... > <mailto:Ejb...@li...> > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>> >>> >>> >>> >>> >>> > ------------------------------------------------------------------------------ >>> Free Next-Gen Firewall Hardware Offer >>> Buy your Sophos next-gen firewall before the end March 2013 >>> and get the hardware for free! Learn more. >>> http://p.sf.net/sfu/sophos-d2d-feb >>> >>> >>> >>> _______________________________________________ >>> Ejbca-develop mailing list >>> Ejb...@li... > <mailto:Ejb...@li...> >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>> >> >> > ------------------------------------------------------------------------------ >> Free Next-Gen Firewall Hardware Offer >> Buy your Sophos next-gen firewall before the end March 2013 >> and get the hardware for free! Learn more. >> http://p.sf.net/sfu/sophos-d2d-feb >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... > <mailto:Ejb...@li...> >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > > ------------------------------------------------------------------------------ > Free Next-Gen Firewall Hardware Offer > Buy your Sophos next-gen firewall before the end March 2013 > and get the hardware for free! Learn more. > http://p.sf.net/sfu/sophos-d2d-feb > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > <mailto:Ejb...@li...> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > ------------------------------------------------------------------------------ > Free Next-Gen Firewall Hardware Offer > Buy your Sophos next-gen firewall before the end March 2013 > and get the hardware for free! Learn more. > http://p.sf.net/sfu/sophos-d2d-feb > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop -- Andreas Bürki ab...@an... S/MIME certificate - SHA1 fingerprint: ED:A5:F3:60:70:8B:4C:16:44:18:96:AE:67:B9:CA:77:AE:DA:83:11 GnuPG - GPG fingerprint: 5DA7 5F48 25BD D2D7 E488 05DF 5A99 A321 7E42 0227 |
|
From: ejbca-support <ejb...@pr...> - 2013-02-09 15:19:20
|
On 2013-02-09 14:37, Alireza Karbasian wrote: > > Well I figured out the problem and i thought to explain it here maybe it can help someone! > in fact the problem was with crl issuer filed in certificate profiles under CDP Address! if you generate this field it will appear in certificate under CDP as Directory access info! > now the bug or mistake is with adobe reader! it compares this filed with certificate (or CRL) issuer and generates an "issuer mismatch" error! but it must compare for example cert.authorityKeyIdentifier=crl.authortyKeyIdentifier=ca.subjectKeyIdentifier > > I removed this filed and it's working! Alireza, I happy to hear that it works and very much appreciate that you shared the solution with the EJBCA community! Cheers Anders tech support > > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ > *From:* Tham Wickenberg <ejb...@pr...> > *To:* Alireza Karbasian <ili...@ya...>; ejb...@li... > *Sent:* Friday, February 8, 2013 7:44 PM > *Subject:* Re: [Ejbca-develop] Issuer mismatch error > > Hello, > > * I curled the CRL from the CDP and the the CRL verifies with OpenSSL > > * I printed info in certificates, it looks good to me > > * I verified the certificate against CA chain but NOT CRL it checks out OK > openssl verify -verbose -CAfile chain.pem certdownloadedFromEJBCA.pem > > certdownloadedFromEJBCA.pem: OK > > * I try to verify the certificate against CA AND CRL (CDP) and it fails > openssl verify -verbose -crl_check -CAfile chain.pem > certdownloadedFromEJBCA.pem > > certdownloadedFromEJBCA.pem: /CN=RooznamehRasmi/OU=rooznameh > rasmi/O=JUD/C=IR > error 3 at 0 depth lookup:unable to get certificate CRL > > I am unsure what this means however. > > /Tham Wickenberg > > > On 2/8/13 4:37 PM, ejbca-support wrote: >> On 2013-02-08 15:31, Alireza Karbasian wrote: >>> ok if we assume that this is just a printout issue in openssl so what's happenning to main certificates from ejbca? i used the PEM certificate downloaded from EJBCA and not the converted one with openssl. i send the ca chain and signed pdf so you can check it out! i see the error in adobe acrobat 9,10 and 11 ! >> Hi Alireza >> Could you check that the CRL does not verify with OpenSSL? >> I don't see any problems but the PDF didn't validate here either :-) >> >> Anders >>> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------ >>> *From:* ejbca-support <ejb...@pr... <mailto:ejb...@pr...>> >>> *To:* Alireza Karbasian <ili...@ya... <mailto:ili...@ya...>>; ejb...@li... <mailto:ejb...@li...> >>> *Sent:* Friday, February 8, 2013 3:48 PM >>> *Subject:* Re: [Ejbca-develop] Issuer mismatch error >>> >>> On 2013-02-08 13:05, Alireza Karbasian wrote: >>>> yes! this is what i guessed also! but the problem is this that i did not >>>> convert the certificates with openssl but i downloaded the PEM certificate >>>> from EJBCA and published CRL in CDP and same thing happens! >>>> is it possible that this is something related to PEM standard? >>> No, this is just a printout formatting issue in OpenSSL. >>> Cheers >>> Anders >>> tech support >>>> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ > ------------------------ >>>> *From:* martijn.list <mar...@gm... <mailto:mar...@gm...> <mailto:mar...@gm... <mailto:mar...@gm...>>> >>>> *To:* ejb...@li... <mailto:ejb...@li...> <mailto:ejb...@li... <mailto:ejb...@li...>> >>>> *Sent:* Thursday, February 7, 2013 11:03 PM >>>> *Subject:* Re: [Ejbca-develop] Issuer mismatch error >>>> >>>> Hi, >>>> >>>> On 02/07/2013 08:12 PM, Alireza Karbasian wrote: >>>>> The attached file contains the test certificates. the certificate here >>>>> is not issued for pdf signing but this is the same thing that happens to >>>>> original certificates. >>>> Verification with OpenSSL seems to be ok after conversion of ca.cer to >>>> PEM (ca.cer.pem) >>>> >>>> openssl crl -in AdminCA1\(downloadedFromEJBCA\).crl -CAfile ca.cer.pem >>>> -inform DER >>>> >>>> martijn@coolermaster:~/temp/certs$ openssl crl -in >>>> AdminCA1\(downloadedFromEJBCA\).crl -CAfile ca.cer.pem -inform DER >>>> verify OK >>>> -----BEGIN X509 CRL----- >>>> MIICLDCCARQCAQEwDQYJKoZIhvcNAQEFBQAwNzERMA8GA1UEAwwIQWRtaW5DQTEx >>>> FTATBgNVBAoMDEVKQkNBIFNhbXBsZTELMAkGA1UEBhMCU0UXDTEzMDIwNzEyMzY0 >>>> N1oXDTEzMDIwODEyMzY0N1qggagwgaUwHwYDVR0jBBgwFoAU3BKuSh4TQDbsjtGJ >>>> S9LNaUfIO5gwCgYDVR0UBAMCAQIwdgYDVR0cBG8wbaBroGmGZ2h0dHA6Ly9pbGlh >>>> Y2EuaXI6ODA4MC9lamJjYS9wdWJsaWN3ZWIvd2ViZGlzdC9jZXJ0ZGlzdD9jbWQ9 >>>> Y3JsJmlzc3Vlcj1DTj1BZG1pbkNBMSxPPUVKQkNBJTIwU2FtcGxlLEM9U0UwDQYJ >>>> KoZIhvcNAQEFBQADggEBAHEj9XbM6634R2TtGOtSRGIpbML+/ZF9C/dLBxb76b21 >>>> 7cOdm/DGQ7u4cfaW5iU57RRYBXZCajE7xQWRj3yyMJGBm/pn+0IXNN50sjtO6VX2 >>>> AEwFtOVxvqSph8x7DDCUK3ZFQgmBgTouigqgKfM41ipamNn/Ri9IR0PxSxXfpo30 >>>> akCMYmN/gkmSxgZNzECzdc5kAe9mp+gRemoTZLLgZonzW/bD4H4i6jhrmzD/kCp9 >>>> i95y6jSZJR4sPMpSKJ7F8Pa8U0i1H0emBHVK+i9QPBDucH4CncZObm4O/MH7+H1p >>>> u3AjjVKUSWaKl419WOvL7FbXAbt0U2IVaBq5MTPgC9o= >>>> -----END X509 CRL----- >>>> >>>> So OpenSSL thinks the CRL is ok. My own application also thinks the CRL >>>> is ok. The issue with the extra space is an OpenSSL "issue". It seems >>>> that the code for x509 outputs an extra space after : but the code for >>>> crl does not. >>>> >>>> Kind regards, >>>> >>>> Martijn Brinkers >>>> >>>> >>>> -- >>>> DJIGZO email encryption >>>> >>>>> ------------------------------------------------------------------------ >>>>> *From:* ejbca-support <ejb...@pr... <mailto:ejb...@pr...> <mailto:ejb...@pr... <mailto:ejb...@pr...>> <mailto:ejb...@pr... <mailto:ejb...@pr...> <mailto:ejb...@pr... <mailto:ejb...@pr...>>>> >>>>> *To:* Alireza Karbasian <ili...@ya... <mailto:ili...@ya...> <mailto:ili...@ya... <mailto:ili...@ya...>> <mailto:ili...@ya... <mailto:ili...@ya...> <mailto:ili...@ya... <mailto:ili...@ya...>>>>; >>>>> ejb...@li... <mailto:ejb...@li...> <mailto:ejb...@li... <mailto:ejb...@li...>> <mailto:ejb...@li... <mailto:ejb...@li...> <mailto:ejb...@li... <mailto:ejb...@li...>>> >>>>> *Sent:* Thursday, February 7, 2013 4:55 PM >>>>> *Subject:* Re: [Ejbca-develop] Issuer mismatch error >>>>> >>>>> On 2013-02-07 14:05, Alireza Karbasian wrote: >>>>> > hello >>>>> > >>>>> > I used EJBCA (4.0.13) to issue a certificate for PDF signing. >>>>> everything seemed good and documents got signed! now when I opens my PDF >>>>> in adobe reader it tries to validate certificate against the CRL with my >>>>> CDP. it can access it but it gives me an error that "Issuer names mismatch". >>>>> > I used these commands to check the issuer names: >>>>> >>>openssl x509 -in signing.pem -issuer -noout >>>>> >>>openssl crl -in crl.pem -issuer -noout >>>>> > >>>>> > and this is the output: >>>>> > openssl x509 -in test.pem -issuer -noout >>>>> > *issuer= /CN=AdminCA1/O=EJBCA Sample/C=SE* >>>>> > openssl crl -in crl.pem -issuer -noout >>>>> > *issuer=/CN=AdminCA1/O=EJBCA Sample/C=SE* >>>>> > ** >>>>> >>>>> Hi Alireza, >>>>> I have never heard about this before, can you send a >>>>> pasted certificate for us to study? >>>>> >>>>> Cheers >>>>> Anders >>>>> tech support >>>>> >>>>> >>>>> > as you can see there is space character in the beginning of >>>>> certificate issuer DN. I googled this and came to see there are some >>>>> discussions about this and assumed that this is a bug (in opnessl >>>>> maybe)! but no solutions! >>>>> > I could not find any related configuration in EJBCA to solve this and >>>>> yet I'm not sure even that this is a bug! did anybody encountered such a >>>>> problem? is this a bug in EJBCA? any help or guide will be appreciated! >>>>> > >>>>> > >>>>> > >>>>> ------------------------------------------------------------------------------ >>>>> > Free Next-Gen Firewall Hardware Offer >>>>> > Buy your Sophos next-gen firewall before the end March 2013 >>>>> > and get the hardware for free! Learn more. >>>>> > http://p.sf.net/sfu/sophos-d2d-feb >>>>> > >>>>> > >>>>> > >>>>> > _______________________________________________ >>>>> > Ejbca-develop mailing list >>>>> > Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>> <mailto:Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>>> >>>>> <mailto:Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>> <mailto:Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>>>> >>>>> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>> > >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Free Next-Gen Firewall Hardware Offer >>>>> Buy your Sophos next-gen firewall before the end March 2013 >>>>> and get the hardware for free! Learn more. >>>>> http://p.sf.net/sfu/sophos-d2d-feb >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Ejbca-develop mailing list >>>>> Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>> <mailto:Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>>> >>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Free Next-Gen Firewall Hardware Offer >>>> Buy your Sophos next-gen firewall before the end March 2013 >>>> and get the hardware for free! Learn more. >>>> http://p.sf.net/sfu/sophos-d2d-feb >>>> _______________________________________________ >>>> Ejbca-develop mailing list >>>> Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>> <mailto:Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>>> >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Free Next-Gen Firewall Hardware Offer >>>> Buy your Sophos next-gen firewall before the end March 2013 >>>> and get the hardware for free! Learn more. >>>> http://p.sf.net/sfu/sophos-d2d-feb >>>> >>>> >>>> >>>> _______________________________________________ >>>> Ejbca-develop mailing list >>>> Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>> >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>> >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Free Next-Gen Firewall Hardware Offer >>> Buy your Sophos next-gen firewall before the end March 2013 >>> and get the hardware for free! Learn more. >>> http://p.sf.net/sfu/sophos-d2d-feb >>> >>> >>> >>> _______________________________________________ >>> Ejbca-develop mailing list >>> Ejb...@li... <mailto:Ejb...@li...> >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>> >> >> ------------------------------------------------------------------------------ >> Free Next-Gen Firewall Hardware Offer >> Buy your Sophos next-gen firewall before the end March 2013 >> and get the hardware for free! Learn more. >> http://p.sf.net/sfu/sophos-d2d-feb >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... <mailto:Ejb...@li...> >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > > ------------------------------------------------------------------------------ > Free Next-Gen Firewall Hardware Offer > Buy your Sophos next-gen firewall before the end March 2013 > and get the hardware for free! Learn more. > http://p.sf.net/sfu/sophos-d2d-feb > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... <mailto:Ejb...@li...> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > ------------------------------------------------------------------------------ > Free Next-Gen Firewall Hardware Offer > Buy your Sophos next-gen firewall before the end March 2013 > and get the hardware for free! Learn more. > http://p.sf.net/sfu/sophos-d2d-feb > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
