Re: [Ejbca-develop] Issuer mismatch error

[ejbca-support <ejb...@pr...>]

On 2013-02-08 13:05, Alireza Karbasian wrote:
> yes! this is what i guessed also! but the problem is this that i did not 
> convert the certificates with openssl but i downloaded the PEM certificate
> from EJBCA and published CRL in CDP and same thing happens!
> is it possible that this is something related to PEM standard?

No, this is just a printout formatting issue in OpenSSL.
Cheers
Anders
tech support
> 
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *From:* martijn.list <mar...@gm...>
> *To:* ejb...@li...
> *Sent:* Thursday, February 7, 2013 11:03 PM
> *Subject:* Re: [Ejbca-develop] Issuer mismatch error
> 
> Hi,
> 
> On 02/07/2013 08:12 PM, Alireza Karbasian wrote:
>> The attached file contains the test certificates. the certificate here
>> is not issued for pdf signing but this is the same thing that happens to
>> original certificates.
> 
> Verification with OpenSSL seems to be ok after conversion of ca.cer to
> PEM (ca.cer.pem)
> 
> openssl crl -in AdminCA1\(downloadedFromEJBCA\).crl -CAfile ca.cer.pem
> -inform DER
> 
> martijn@coolermaster:~/temp/certs$ openssl crl -in
> AdminCA1\(downloadedFromEJBCA\).crl -CAfile ca.cer.pem -inform DER
> verify OK
> -----BEGIN X509 CRL-----
> MIICLDCCARQCAQEwDQYJKoZIhvcNAQEFBQAwNzERMA8GA1UEAwwIQWRtaW5DQTEx
> FTATBgNVBAoMDEVKQkNBIFNhbXBsZTELMAkGA1UEBhMCU0UXDTEzMDIwNzEyMzY0
> N1oXDTEzMDIwODEyMzY0N1qggagwgaUwHwYDVR0jBBgwFoAU3BKuSh4TQDbsjtGJ
> S9LNaUfIO5gwCgYDVR0UBAMCAQIwdgYDVR0cBG8wbaBroGmGZ2h0dHA6Ly9pbGlh
> Y2EuaXI6ODA4MC9lamJjYS9wdWJsaWN3ZWIvd2ViZGlzdC9jZXJ0ZGlzdD9jbWQ9
> Y3JsJmlzc3Vlcj1DTj1BZG1pbkNBMSxPPUVKQkNBJTIwU2FtcGxlLEM9U0UwDQYJ
> KoZIhvcNAQEFBQADggEBAHEj9XbM6634R2TtGOtSRGIpbML+/ZF9C/dLBxb76b21
> 7cOdm/DGQ7u4cfaW5iU57RRYBXZCajE7xQWRj3yyMJGBm/pn+0IXNN50sjtO6VX2
> AEwFtOVxvqSph8x7DDCUK3ZFQgmBgTouigqgKfM41ipamNn/Ri9IR0PxSxXfpo30
> akCMYmN/gkmSxgZNzECzdc5kAe9mp+gRemoTZLLgZonzW/bD4H4i6jhrmzD/kCp9
> i95y6jSZJR4sPMpSKJ7F8Pa8U0i1H0emBHVK+i9QPBDucH4CncZObm4O/MH7+H1p
> u3AjjVKUSWaKl419WOvL7FbXAbt0U2IVaBq5MTPgC9o=
> -----END X509 CRL-----
> 
> So OpenSSL thinks the CRL is ok. My own application also thinks the CRL
> is ok. The issue with the extra space is an OpenSSL "issue". It seems
> that the code for x509 outputs an extra space after : but the code for
> crl does not.
> 
> Kind regards,
> 
> Martijn Brinkers
> 
> 
> -- 
> DJIGZO email encryption
> 
>>
>> ------------------------------------------------------------------------
>> *From:* ejbca-support <ejb...@pr... <mailto:ejb...@pr...>>
>> *To:* Alireza Karbasian <ili...@ya... <mailto:ili...@ya...>>;
>> ejb...@li... <mailto:ejb...@li...>
>> *Sent:* Thursday, February 7, 2013 4:55 PM
>> *Subject:* Re: [Ejbca-develop] Issuer mismatch error
>>
>> On 2013-02-07 14:05, Alireza Karbasian wrote:
>>  > hello
>>  >
>>  > I used EJBCA (4.0.13) to issue a certificate for PDF signing.
>> everything seemed good and documents got signed! now when I opens my PDF
>> in adobe reader it tries to validate certificate against the CRL with my
>> CDP. it can access it but it gives me an error that "Issuer names mismatch".
>>  > I used these commands to check the issuer names:
>>  >>>openssl x509 -in signing.pem -issuer -noout
>>  >>>openssl crl -in crl.pem -issuer -noout
>>  >
>>  > and this is the output:
>>  > openssl x509 -in test.pem -issuer -noout
>>  > *issuer= /CN=AdminCA1/O=EJBCA Sample/C=SE*
>>  > openssl crl -in crl.pem -issuer -noout
>>  > *issuer=/CN=AdminCA1/O=EJBCA Sample/C=SE*
>>  > **
>>
>> Hi Alireza,
>> I have never heard about this before, can you send a
>> pasted certificate for us to study?
>>
>> Cheers
>> Anders
>> tech support
>>
>>
>>  > as you can see there is space character in the beginning of
>> certificate issuer DN. I googled this and came to see there are some
>> discussions about this and assumed that this is a bug (in opnessl
>> maybe)! but no solutions!
>>  > I could not find any related configuration in EJBCA to solve this and
>> yet I'm not sure even that this is a bug! did anybody encountered such a
>> problem? is this a bug in EJBCA? any help or guide will be appreciated!
>>  >
>>  >
>>  >
>> ------------------------------------------------------------------------------
>>  > Free Next-Gen Firewall Hardware Offer
>>  > Buy your Sophos next-gen firewall before the end March 2013
>>  > and get the hardware for free! Learn more.
>>  > http://p.sf.net/sfu/sophos-d2d-feb
>>  >
>>  >
>>  >
>>  > _______________________________________________
>>  > Ejbca-develop mailing list
>>  > Ejb...@li... <mailto:Ejb...@li...>
>> <mailto:Ejb...@li... <mailto:Ejb...@li...>>
>>  > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>  >
>>
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Free Next-Gen Firewall Hardware Offer
>> Buy your Sophos next-gen firewall before the end March 2013
>> and get the hardware for free! Learn more.
>> http://p.sf.net/sfu/sophos-d2d-feb
>>
>>
>>
>> _______________________________________________
>> Ejbca-develop mailing list
>> Ejb...@li... <mailto:Ejb...@li...>
>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>
> 
> 
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li... <mailto:Ejb...@li...>
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013 
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> 
> 
> 
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>