Menu
▾
▴
Re: [Ejbca-develop] Issuer mismatch error
|
From: martijn.list <mar...@gm...> - 2013-02-08 12:17:55
|
On 02/08/2013 01:05 PM, Alireza Karbasian wrote: > yes! this is what i guessed also! but the problem is this that i did not > convert the certificates with openssl but i downloaded the PEM > certificate from EJBCA and published CRL in CDP and same thing happens! > is it possible that this is something related to PEM standard? a PEM encoded certificate is nothing more that a base64 encoded DER encoded certificate with some header and footer (-----BEGIN---- and -----END---- headers). Are you 100% certain that the CRL at the CRL dis. point is the correct CRL? Kind regards, Martijn > > ------------------------------------------------------------------------ > *From:* martijn.list <mar...@gm...> > *To:* ejb...@li... > *Sent:* Thursday, February 7, 2013 11:03 PM > *Subject:* Re: [Ejbca-develop] Issuer mismatch error > > Hi, > > On 02/07/2013 08:12 PM, Alireza Karbasian wrote: > > The attached file contains the test certificates. the certificate here > > is not issued for pdf signing but this is the same thing that happens to > > original certificates. > > Verification with OpenSSL seems to be ok after conversion of ca.cer to > PEM (ca.cer.pem) > > openssl crl -in AdminCA1\(downloadedFromEJBCA\).crl -CAfile ca.cer.pem > -inform DER > > martijn@coolermaster:~/temp/certs$ openssl crl -in > AdminCA1\(downloadedFromEJBCA\).crl -CAfile ca.cer.pem -inform DER > verify OK > -----BEGIN X509 CRL----- > MIICLDCCARQCAQEwDQYJKoZIhvcNAQEFBQAwNzERMA8GA1UEAwwIQWRtaW5DQTEx > FTATBgNVBAoMDEVKQkNBIFNhbXBsZTELMAkGA1UEBhMCU0UXDTEzMDIwNzEyMzY0 > N1oXDTEzMDIwODEyMzY0N1qggagwgaUwHwYDVR0jBBgwFoAU3BKuSh4TQDbsjtGJ > S9LNaUfIO5gwCgYDVR0UBAMCAQIwdgYDVR0cBG8wbaBroGmGZ2h0dHA6Ly9pbGlh > Y2EuaXI6ODA4MC9lamJjYS9wdWJsaWN3ZWIvd2ViZGlzdC9jZXJ0ZGlzdD9jbWQ9 > Y3JsJmlzc3Vlcj1DTj1BZG1pbkNBMSxPPUVKQkNBJTIwU2FtcGxlLEM9U0UwDQYJ > KoZIhvcNAQEFBQADggEBAHEj9XbM6634R2TtGOtSRGIpbML+/ZF9C/dLBxb76b21 > 7cOdm/DGQ7u4cfaW5iU57RRYBXZCajE7xQWRj3yyMJGBm/pn+0IXNN50sjtO6VX2 > AEwFtOVxvqSph8x7DDCUK3ZFQgmBgTouigqgKfM41ipamNn/Ri9IR0PxSxXfpo30 > akCMYmN/gkmSxgZNzECzdc5kAe9mp+gRemoTZLLgZonzW/bD4H4i6jhrmzD/kCp9 > i95y6jSZJR4sPMpSKJ7F8Pa8U0i1H0emBHVK+i9QPBDucH4CncZObm4O/MH7+H1p > u3AjjVKUSWaKl419WOvL7FbXAbt0U2IVaBq5MTPgC9o= > -----END X509 CRL----- > > So OpenSSL thinks the CRL is ok. My own application also thinks the CRL > is ok. The issue with the extra space is an OpenSSL "issue". It seems > that the code for x509 outputs an extra space after : but the code for > crl does not. > > Kind regards, > > Martijn Brinkers > > > -- > DJIGZO email encryption > > > > > ------------------------------------------------------------------------ > > *From:* ejbca-support <ejb...@pr... > <mailto:ejb...@pr...>> > > *To:* Alireza Karbasian <ili...@ya... > <mailto:ili...@ya...>>; > > ejb...@li... > <mailto:ejb...@li...> > > *Sent:* Thursday, February 7, 2013 4:55 PM > > *Subject:* Re: [Ejbca-develop] Issuer mismatch error > > > > On 2013-02-07 14:05, Alireza Karbasian wrote: > > > hello > > > > > > I used EJBCA (4.0.13) to issue a certificate for PDF signing. > > everything seemed good and documents got signed! now when I opens my PDF > > in adobe reader it tries to validate certificate against the CRL with my > > CDP. it can access it but it gives me an error that "Issuer names > mismatch". > > > I used these commands to check the issuer names: > > >>>openssl x509 -in signing.pem -issuer -noout > > >>>openssl crl -in crl.pem -issuer -noout > > > > > > and this is the output: > > > openssl x509 -in test.pem -issuer -noout > > > *issuer= /CN=AdminCA1/O=EJBCA Sample/C=SE* > > > openssl crl -in crl.pem -issuer -noout > > > *issuer=/CN=AdminCA1/O=EJBCA Sample/C=SE* > > > ** > > > > Hi Alireza, > > I have never heard about this before, can you send a > > pasted certificate for us to study? > > > > Cheers > > Anders > > tech support > > > > > > > as you can see there is space character in the beginning of > > certificate issuer DN. I googled this and came to see there are some > > discussions about this and assumed that this is a bug (in opnessl > > maybe)! but no solutions! > > > I could not find any related configuration in EJBCA to solve this and > > yet I'm not sure even that this is a bug! did anybody encountered such a > > problem? is this a bug in EJBCA? any help or guide will be appreciated! > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > Free Next-Gen Firewall Hardware Offer > > > Buy your Sophos next-gen firewall before the end March 2013 > > > and get the hardware for free! Learn more. > > > http://p.sf.net/sfu/sophos-d2d-feb > > > > > > > > > > > > _______________________________________________ > > > Ejbca-develop mailing list > > > Ejb...@li... > <mailto:Ejb...@li...> > > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > Free Next-Gen Firewall Hardware Offer > > Buy your Sophos next-gen firewall before the end March 2013 > > and get the hardware for free! Learn more. > > http://p.sf.net/sfu/sophos-d2d-feb > > > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > <mailto:Ejb...@li...> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > ------------------------------------------------------------------------------ > Free Next-Gen Firewall Hardware Offer > Buy your Sophos next-gen firewall before the end March 2013 > and get the hardware for free! Learn more. > http://p.sf.net/sfu/sophos-d2d-feb > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > <mailto:Ejb...@li...> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > ------------------------------------------------------------------------------ > Free Next-Gen Firewall Hardware Offer > Buy your Sophos next-gen firewall before the end March 2013 > and get the hardware for free! Learn more. > http://p.sf.net/sfu/sophos-d2d-feb > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > -- DJIGZO email encryption |
