From: Tham W. <ejb...@pr...> - 2013-02-08 16:14:49
|
Hello, * I curled the CRL from the CDP and the the CRL verifies with OpenSSL * I printed info in certificates, it looks good to me * I verified the certificate against CA chain but NOT CRL it checks out OK openssl verify -verbose -CAfile chain.pem certdownloadedFromEJBCA.pem certdownloadedFromEJBCA.pem: OK * I try to verify the certificate against CA AND CRL (CDP) and it fails openssl verify -verbose -crl_check -CAfile chain.pem certdownloadedFromEJBCA.pem certdownloadedFromEJBCA.pem: /CN=RooznamehRasmi/OU=rooznameh rasmi/O=JUD/C=IR error 3 at 0 depth lookup:unable to get certificate CRL I am unsure what this means however. /Tham Wickenberg On 2/8/13 4:37 PM, ejbca-support wrote: > On 2013-02-08 15:31, Alireza Karbasian wrote: >> ok if we assume that this is just a printout issue in openssl so what's happenning to main certificates from ejbca? i used the PEM certificate downloaded from EJBCA and not the converted one with openssl. i send the ca chain and signed pdf so you can check it out! i see the error in adobe acrobat 9,10 and 11 ! > Hi Alireza > Could you check that the CRL does not verify with OpenSSL? > I don't see any problems but the PDF didn't validate here either :-) > > Anders >> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ >> *From:* ejbca-support <ejb...@pr...> >> *To:* Alireza Karbasian <ili...@ya...>; ejb...@li... >> *Sent:* Friday, February 8, 2013 3:48 PM >> *Subject:* Re: [Ejbca-develop] Issuer mismatch error >> >> On 2013-02-08 13:05, Alireza Karbasian wrote: >>> yes! this is what i guessed also! but the problem is this that i did not >>> convert the certificates with openssl but i downloaded the PEM certificate >>> from EJBCA and published CRL in CDP and same thing happens! >>> is it possible that this is something related to PEM standard? >> No, this is just a printout formatting issue in OpenSSL. >> Cheers >> Anders >> tech support >>> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------ >>> *From:* martijn.list <mar...@gm... <mailto:mar...@gm...>> >>> *To:* ejb...@li... <mailto:ejb...@li...> >>> *Sent:* Thursday, February 7, 2013 11:03 PM >>> *Subject:* Re: [Ejbca-develop] Issuer mismatch error >>> >>> Hi, >>> >>> On 02/07/2013 08:12 PM, Alireza Karbasian wrote: >>>> The attached file contains the test certificates. the certificate here >>>> is not issued for pdf signing but this is the same thing that happens to >>>> original certificates. >>> Verification with OpenSSL seems to be ok after conversion of ca.cer to >>> PEM (ca.cer.pem) >>> >>> openssl crl -in AdminCA1\(downloadedFromEJBCA\).crl -CAfile ca.cer.pem >>> -inform DER >>> >>> martijn@coolermaster:~/temp/certs$ openssl crl -in >>> AdminCA1\(downloadedFromEJBCA\).crl -CAfile ca.cer.pem -inform DER >>> verify OK >>> -----BEGIN X509 CRL----- >>> MIICLDCCARQCAQEwDQYJKoZIhvcNAQEFBQAwNzERMA8GA1UEAwwIQWRtaW5DQTEx >>> FTATBgNVBAoMDEVKQkNBIFNhbXBsZTELMAkGA1UEBhMCU0UXDTEzMDIwNzEyMzY0 >>> N1oXDTEzMDIwODEyMzY0N1qggagwgaUwHwYDVR0jBBgwFoAU3BKuSh4TQDbsjtGJ >>> S9LNaUfIO5gwCgYDVR0UBAMCAQIwdgYDVR0cBG8wbaBroGmGZ2h0dHA6Ly9pbGlh >>> Y2EuaXI6ODA4MC9lamJjYS9wdWJsaWN3ZWIvd2ViZGlzdC9jZXJ0ZGlzdD9jbWQ9 >>> Y3JsJmlzc3Vlcj1DTj1BZG1pbkNBMSxPPUVKQkNBJTIwU2FtcGxlLEM9U0UwDQYJ >>> KoZIhvcNAQEFBQADggEBAHEj9XbM6634R2TtGOtSRGIpbML+/ZF9C/dLBxb76b21 >>> 7cOdm/DGQ7u4cfaW5iU57RRYBXZCajE7xQWRj3yyMJGBm/pn+0IXNN50sjtO6VX2 >>> AEwFtOVxvqSph8x7DDCUK3ZFQgmBgTouigqgKfM41ipamNn/Ri9IR0PxSxXfpo30 >>> akCMYmN/gkmSxgZNzECzdc5kAe9mp+gRemoTZLLgZonzW/bD4H4i6jhrmzD/kCp9 >>> i95y6jSZJR4sPMpSKJ7F8Pa8U0i1H0emBHVK+i9QPBDucH4CncZObm4O/MH7+H1p >>> u3AjjVKUSWaKl419WOvL7FbXAbt0U2IVaBq5MTPgC9o= >>> -----END X509 CRL----- >>> >>> So OpenSSL thinks the CRL is ok. My own application also thinks the CRL >>> is ok. The issue with the extra space is an OpenSSL "issue". It seems >>> that the code for x509 outputs an extra space after : but the code for >>> crl does not. >>> >>> Kind regards, >>> >>> Martijn Brinkers >>> >>> >>> -- >>> DJIGZO email encryption >>> >>>> ------------------------------------------------------------------------ >>>> *From:* ejbca-support <ejb...@pr... <mailto:ejb...@pr...> <mailto:ejb...@pr... <mailto:ejb...@pr...>>> >>>> *To:* Alireza Karbasian <ili...@ya... <mailto:ili...@ya...> <mailto:ili...@ya... <mailto:ili...@ya...>>>; >>>> ejb...@li... <mailto:ejb...@li...> <mailto:ejb...@li... <mailto:ejb...@li...>> >>>> *Sent:* Thursday, February 7, 2013 4:55 PM >>>> *Subject:* Re: [Ejbca-develop] Issuer mismatch error >>>> >>>> On 2013-02-07 14:05, Alireza Karbasian wrote: >>>> > hello >>>> > >>>> > I used EJBCA (4.0.13) to issue a certificate for PDF signing. >>>> everything seemed good and documents got signed! now when I opens my PDF >>>> in adobe reader it tries to validate certificate against the CRL with my >>>> CDP. it can access it but it gives me an error that "Issuer names mismatch". >>>> > I used these commands to check the issuer names: >>>> >>>openssl x509 -in signing.pem -issuer -noout >>>> >>>openssl crl -in crl.pem -issuer -noout >>>> > >>>> > and this is the output: >>>> > openssl x509 -in test.pem -issuer -noout >>>> > *issuer= /CN=AdminCA1/O=EJBCA Sample/C=SE* >>>> > openssl crl -in crl.pem -issuer -noout >>>> > *issuer=/CN=AdminCA1/O=EJBCA Sample/C=SE* >>>> > ** >>>> >>>> Hi Alireza, >>>> I have never heard about this before, can you send a >>>> pasted certificate for us to study? >>>> >>>> Cheers >>>> Anders >>>> tech support >>>> >>>> >>>> > as you can see there is space character in the beginning of >>>> certificate issuer DN. I googled this and came to see there are some >>>> discussions about this and assumed that this is a bug (in opnessl >>>> maybe)! but no solutions! >>>> > I could not find any related configuration in EJBCA to solve this and >>>> yet I'm not sure even that this is a bug! did anybody encountered such a >>>> problem? is this a bug in EJBCA? any help or guide will be appreciated! >>>> > >>>> > >>>> > >>>> ------------------------------------------------------------------------------ >>>> > Free Next-Gen Firewall Hardware Offer >>>> > Buy your Sophos next-gen firewall before the end March 2013 >>>> > and get the hardware for free! Learn more. >>>> > http://p.sf.net/sfu/sophos-d2d-feb >>>> > >>>> > >>>> > >>>> > _______________________________________________ >>>> > Ejbca-develop mailing list >>>> > Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>> >>>> <mailto:Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>>> >>>> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>> > >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Free Next-Gen Firewall Hardware Offer >>>> Buy your Sophos next-gen firewall before the end March 2013 >>>> and get the hardware for free! Learn more. >>>> http://p.sf.net/sfu/sophos-d2d-feb >>>> >>>> >>>> >>>> _______________________________________________ >>>> Ejbca-develop mailing list >>>> Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>> >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>> >>> >>> ------------------------------------------------------------------------------ >>> Free Next-Gen Firewall Hardware Offer >>> Buy your Sophos next-gen firewall before the end March 2013 >>> and get the hardware for free! Learn more. >>> http://p.sf.net/sfu/sophos-d2d-feb >>> _______________________________________________ >>> Ejbca-develop mailing list >>> Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>> >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Free Next-Gen Firewall Hardware Offer >>> Buy your Sophos next-gen firewall before the end March 2013 >>> and get the hardware for free! Learn more. >>> http://p.sf.net/sfu/sophos-d2d-feb >>> >>> >>> >>> _______________________________________________ >>> Ejbca-develop mailing list >>> Ejb...@li... <mailto:Ejb...@li...> >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>> >> >> >> >> >> ------------------------------------------------------------------------------ >> Free Next-Gen Firewall Hardware Offer >> Buy your Sophos next-gen firewall before the end March 2013 >> and get the hardware for free! Learn more. >> http://p.sf.net/sfu/sophos-d2d-feb >> >> >> >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > > ------------------------------------------------------------------------------ > Free Next-Gen Firewall Hardware Offer > Buy your Sophos next-gen firewall before the end March 2013 > and get the hardware for free! Learn more. > http://p.sf.net/sfu/sophos-d2d-feb > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop |