Menu
▾
▴
Re: [Ejbca-develop] Issuer mismatch error
|
From: Alireza K. <ili...@ya...> - 2013-02-08 16:45:23
|
maybe this error is related to CDP address in ca cert! CDP is not mentioned in ca certificate but it's available in issued certificates. so when openssl wants to verify against CDP it can not find the address in ca certificate and it fails (maybe it grabs CDP from ca cert and not issued certificate)! but when you give it the CRL file it can verify it! but this does not seem to be "issuer mismatch" error cause! ________________________________ From: Tham Wickenberg <ejb...@pr...> To: Alireza Karbasian <ili...@ya...>; ejb...@li... Sent: Friday, February 8, 2013 7:44 PM Subject: Re: [Ejbca-develop] Issuer mismatch error Hello, * I curled the CRL from the CDP and the the CRL verifies with OpenSSL * I printed info in certificates, it looks good to me * I verified the certificate against CA chain but NOT CRL it checks out OK openssl verify -verbose -CAfile chain.pem certdownloadedFromEJBCA.pem certdownloadedFromEJBCA.pem: OK * I try to verify the certificate against CA AND CRL (CDP) and it fails openssl verify -verbose -crl_check -CAfile chain.pem certdownloadedFromEJBCA.pem certdownloadedFromEJBCA.pem: /CN=RooznamehRasmi/OU=rooznameh rasmi/O=JUD/C=IR error 3 at 0 depth lookup:unable to get certificate CRL I am unsure what this means however. /Tham Wickenberg On 2/8/13 4:37 PM, ejbca-support wrote: > On 2013-02-08 15:31, Alireza Karbasian wrote: >> ok if we assume that this is just a printout issue in openssl so what's happenning to main certificates from ejbca? i used the PEM certificate downloaded from EJBCA and not the converted one with openssl. i send the ca chain and signed pdf so you can check it out! i see the error in adobe acrobat 9,10 and 11 ! > Hi Alireza > Could you check that the CRL does not verify with OpenSSL? > I don't see any problems but the PDF didn't validate here either :-) > > Anders >> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------ >> *From:* ejbca-support <ejb...@pr...> >> *To:* Alireza Karbasian <ili...@ya...>; ejb...@li... >> *Sent:* Friday, February 8, 2013 3:48 PM >> *Subject:* Re: [Ejbca-develop] Issuer mismatch error >> >> On 2013-02-08 13:05, Alireza Karbasian wrote: >>> yes! this is what i guessed also! but the problem is this that i did not >>> convert the certificates with openssl but i downloaded the PEM certificate >>> from EJBCA and published CRL in CDP and same thing happens! >>> is it possible that this is something related to PEM standard? >> No, this is just a printout formatting issue in OpenSSL. >> Cheers >> Anders >> tech support >>> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------ >>> *From:* martijn.list <mar...@gm... <mailto:mar...@gm...>> >>> *To:* ejb...@li... <mailto:ejb...@li...> >>> *Sent:* Thursday, February 7, 2013 11:03 PM >>> *Subject:* Re: [Ejbca-develop] Issuer mismatch error >>> >>> Hi, >>> >>> On 02/07/2013 08:12 PM, Alireza Karbasian wrote: >>>> The attached file contains the test certificates. the certificate here >>>> is not issued for pdf signing but this is the same thing that happens to >>>> original certificates. >>> Verification with OpenSSL seems to be ok after conversion of ca.cer to >>> PEM (ca.cer.pem) >>> >>> openssl crl -in AdminCA1\(downloadedFromEJBCA\).crl -CAfile ca.cer.pem >>> -inform DER >>> >>> martijn@coolermaster:~/temp/certs$ openssl crl -in >>> AdminCA1\(downloadedFromEJBCA\).crl -CAfile ca.cer.pem -inform DER >>> verify OK >>> -----BEGIN X509 CRL----- >>> MIICLDCCARQCAQEwDQYJKoZIhvcNAQEFBQAwNzERMA8GA1UEAwwIQWRtaW5DQTEx >>> FTATBgNVBAoMDEVKQkNBIFNhbXBsZTELMAkGA1UEBhMCU0UXDTEzMDIwNzEyMzY0 >>> N1oXDTEzMDIwODEyMzY0N1qggagwgaUwHwYDVR0jBBgwFoAU3BKuSh4TQDbsjtGJ >>> S9LNaUfIO5gwCgYDVR0UBAMCAQIwdgYDVR0cBG8wbaBroGmGZ2h0dHA6Ly9pbGlh >>> Y2EuaXI6ODA4MC9lamJjYS9wdWJsaWN3ZWIvd2ViZGlzdC9jZXJ0ZGlzdD9jbWQ9 >>> Y3JsJmlzc3Vlcj1DTj1BZG1pbkNBMSxPPUVKQkNBJTIwU2FtcGxlLEM9U0UwDQYJ >>> KoZIhvcNAQEFBQADggEBAHEj9XbM6634R2TtGOtSRGIpbML+/ZF9C/dLBxb76b21 >>> 7cOdm/DGQ7u4cfaW5iU57RRYBXZCajE7xQWRj3yyMJGBm/pn+0IXNN50sjtO6VX2 >>> AEwFtOVxvqSph8x7DDCUK3ZFQgmBgTouigqgKfM41ipamNn/Ri9IR0PxSxXfpo30 >>> akCMYmN/gkmSxgZNzECzdc5kAe9mp+gRemoTZLLgZonzW/bD4H4i6jhrmzD/kCp9 >>> i95y6jSZJR4sPMpSKJ7F8Pa8U0i1H0emBHVK+i9QPBDucH4CncZObm4O/MH7+H1p >>> u3AjjVKUSWaKl419WOvL7FbXAbt0U2IVaBq5MTPgC9o= >>> -----END X509 CRL----- >>> >>> So OpenSSL thinks the CRL is ok. My own application also thinks the CRL >>> is ok. The issue with the extra space is an OpenSSL "issue". It seems >>> that the code for x509 outputs an extra space after : but the code for >>> crl does not. >>> >>> Kind regards, >>> >>> Martijn Brinkers >>> >>> >>> -- >>> DJIGZO email encryption >>> >>>> ------------------------------------------------------------------------ >>>> *From:* ejbca-support <ejb...@pr... <mailto:ejb...@pr...> <mailto:ejb...@pr... <mailto:ejb...@pr...>>> >>>> *To:* Alireza Karbasian <ili...@ya... <mailto:ili...@ya...> <mailto:ili...@ya... <mailto:ili...@ya...>>>; >>>> ejb...@li... <mailto:ejb...@li...> <mailto:ejb...@li... <mailto:ejb...@li...>> >>>> *Sent:* Thursday, February 7, 2013 4:55 PM >>>> *Subject:* Re: [Ejbca-develop] Issuer mismatch error >>>> >>>> On 2013-02-07 14:05, Alireza Karbasian wrote: >>>> > hello >>>> > >>>> > I used EJBCA (4.0.13) to issue a certificate for PDF signing. >>>> everything seemed good and documents got signed! now when I opens my PDF >>>> in adobe reader it tries to validate certificate against the CRL with my >>>> CDP. it can access it but it gives me an error that "Issuer names mismatch". >>>> > I used these commands to check the issuer names: >>>> >>>openssl x509 -in signing.pem -issuer -noout >>>> >>>openssl crl -in crl.pem -issuer -noout >>>> > >>>> > and this is the output: >>>> > openssl x509 -in test.pem -issuer -noout >>>> > *issuer= /CN=AdminCA1/O=EJBCA Sample/C=SE* >>>> > openssl crl -in crl.pem -issuer -noout >>>> > *issuer=/CN=AdminCA1/O=EJBCA Sample/C=SE* >>>> > ** >>>> >>>> Hi Alireza, >>>> I have never heard about this before, can you send a >>>> pasted certificate for us to study? >>>> >>>> Cheers >>>> Anders >>>> tech support >>>> >>>> >>>> > as you can see there is space character in the beginning of >>>> certificate issuer DN. I googled this and came to see there are some >>>> discussions about this and assumed that this is a bug (in opnessl >>>> maybe)! but no solutions! >>>> > I could not find any related configuration in EJBCA to solve this and >>>> yet I'm not sure even that this is a bug! did anybody encountered such a >>>> problem? is this a bug in EJBCA? any help or guide will be appreciated! >>>> > >>>> > >>>> > >>>> ------------------------------------------------------------------------------ >>>> > Free Next-Gen Firewall Hardware Offer >>>> > Buy your Sophos next-gen firewall before the end March 2013 >>>> > and get the hardware for free! Learn more. >>>> > http://p.sf.net/sfu/sophos-d2d-feb >>>> > >>>> > >>>> > >>>> > _______________________________________________ >>>> > Ejbca-develop mailing list >>>> > Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>> >>>> <mailto:Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>>> >>>> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>> > >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Free Next-Gen Firewall Hardware Offer >>>> Buy your Sophos next-gen firewall before the end March 2013 >>>> and get the hardware for free! Learn more. >>>> http://p.sf.net/sfu/sophos-d2d-feb >>>> >>>> >>>> >>>> _______________________________________________ >>>> Ejbca-develop mailing list >>>> Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>> >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>> >>> >>> ------------------------------------------------------------------------------ >>> Free Next-Gen Firewall Hardware Offer >>> Buy your Sophos next-gen firewall before the end March 2013 >>> and get the hardware for free! Learn more. >>> http://p.sf.net/sfu/sophos-d2d-feb >>> _______________________________________________ >>> Ejbca-develop mailing list >>> Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>> >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Free Next-Gen Firewall Hardware Offer >>> Buy your Sophos next-gen firewall before the end March 2013 >>> and get the hardware for free! Learn more. >>> http://p.sf.net/sfu/sophos-d2d-feb >>> >>> >>> >>> _______________________________________________ >>> Ejbca-develop mailing list >>> Ejb...@li... <mailto:Ejb...@li...> >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>> >> >> >> >> >> ------------------------------------------------------------------------------ >> Free Next-Gen Firewall Hardware Offer >> Buy your Sophos next-gen firewall before the end March 2013 >> and get the hardware for free! Learn more. >> http://p.sf.net/sfu/sophos-d2d-feb >> >> >> >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > > ------------------------------------------------------------------------------ > Free Next-Gen Firewall Hardware Offer > Buy your Sophos next-gen firewall before the end March 2013 > and get the hardware for free! Learn more. > http://p.sf.net/sfu/sophos-d2d-feb > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
