From: Andreas B. <ab...@an...> - 2013-02-09 15:14:12
|
Dear Alireza Am 09.02.2013 14:37, schrieb Alireza Karbasian: > > Well I figured out the problem and i thought to explain it here maybe it > can help someone! Great you share your findings and learnings with this list ! This is, what I call F/OSS spirit and helps to promote and improve EJBCA at the end of the day. Thanks again. cheeers, h. > ------------------------------------------------------------------------ > *From:* Tham Wickenberg <ejb...@pr...> > *To:* Alireza Karbasian <ili...@ya...>; > ejb...@li... > *Sent:* Friday, February 8, 2013 7:44 PM > *Subject:* Re: [Ejbca-develop] Issuer mismatch error > > Hello, > > * I curled the CRL from the CDP and the the CRL verifies with OpenSSL > > * I printed info in certificates, it looks good to me > > * I verified the certificate against CA chain but NOT CRL it checks out OK > openssl verify -verbose -CAfile chain.pem certdownloadedFromEJBCA.pem > > certdownloadedFromEJBCA.pem: OK > > * I try to verify the certificate against CA AND CRL (CDP) and it fails > openssl verify -verbose -crl_check -CAfile chain.pem > certdownloadedFromEJBCA.pem > > certdownloadedFromEJBCA.pem: /CN=RooznamehRasmi/OU=rooznameh > rasmi/O=JUD/C=IR > error 3 at 0 depth lookup:unable to get certificate CRL > > I am unsure what this means however. > > /Tham Wickenberg > > > On 2/8/13 4:37 PM, ejbca-support wrote: >> On 2013-02-08 15:31, Alireza Karbasian wrote: >>> ok if we assume that this is just a printout issue in openssl so > what's happenning to main certificates from ejbca? i used the PEM > certificate downloaded from EJBCA and not the converted one with > openssl. i send the ca chain and signed pdf so you can check it out! i > see the error in adobe acrobat 9,10 and 11 ! >> Hi Alireza >> Could you check that the CRL does not verify with OpenSSL? >> I don't see any problems but the PDF didn't validate here either :-) >> >> Anders >>> > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ > ------------------------ >>> *From:* ejbca-support <ejb...@pr... > <mailto:ejb...@pr...>> >>> *To:* Alireza Karbasian <ili...@ya... > <mailto:ili...@ya...>>; ejb...@li... > <mailto:ejb...@li...> >>> *Sent:* Friday, February 8, 2013 3:48 PM >>> *Subject:* Re: [Ejbca-develop] Issuer mismatch error >>> >>> On 2013-02-08 13:05, Alireza Karbasian wrote: >>>> yes! this is what i guessed also! but the problem is this that i did not >>>> convert the certificates with openssl but i downloaded the PEM > certificate >>>> from EJBCA and published CRL in CDP and same thing happens! >>>> is it possible that this is something related to PEM standard? >>> No, this is just a printout formatting issue in OpenSSL. >>> Cheers >>> Anders >>> tech support >>>> > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ > ------------------------ >>>> *From:* martijn.list <mar...@gm... > <mailto:mar...@gm...> <mailto:mar...@gm... > <mailto:mar...@gm...>>> >>>> *To:* ejb...@li... > <mailto:ejb...@li...> > <mailto:ejb...@li... > <mailto:ejb...@li...>> >>>> *Sent:* Thursday, February 7, 2013 11:03 PM >>>> *Subject:* Re: [Ejbca-develop] Issuer mismatch error >>>> >>>> Hi, >>>> >>>> On 02/07/2013 08:12 PM, Alireza Karbasian wrote: >>>>> The attached file contains the test certificates. the certificate here >>>>> is not issued for pdf signing but this is the same thing that > happens to >>>>> original certificates. >>>> Verification with OpenSSL seems to be ok after conversion of ca.cer to >>>> PEM (ca.cer.pem) >>>> >>>> openssl crl -in AdminCA1\(downloadedFromEJBCA\).crl -CAfile ca.cer.pem >>>> -inform DER >>>> >>>> martijn@coolermaster:~/temp/certs$ openssl crl -in >>>> AdminCA1\(downloadedFromEJBCA\).crl -CAfile ca.cer.pem -inform DER >>>> verify OK >>>> -----BEGIN X509 CRL----- >>>> MIICLDCCARQCAQEwDQYJKoZIhvcNAQEFBQAwNzERMA8GA1UEAwwIQWRtaW5DQTEx >>>> FTATBgNVBAoMDEVKQkNBIFNhbXBsZTELMAkGA1UEBhMCU0UXDTEzMDIwNzEyMzY0 >>>> N1oXDTEzMDIwODEyMzY0N1qggagwgaUwHwYDVR0jBBgwFoAU3BKuSh4TQDbsjtGJ >>>> S9LNaUfIO5gwCgYDVR0UBAMCAQIwdgYDVR0cBG8wbaBroGmGZ2h0dHA6Ly9pbGlh >>>> Y2EuaXI6ODA4MC9lamJjYS9wdWJsaWN3ZWIvd2ViZGlzdC9jZXJ0ZGlzdD9jbWQ9 >>>> Y3JsJmlzc3Vlcj1DTj1BZG1pbkNBMSxPPUVKQkNBJTIwU2FtcGxlLEM9U0UwDQYJ >>>> KoZIhvcNAQEFBQADggEBAHEj9XbM6634R2TtGOtSRGIpbML+/ZF9C/dLBxb76b21 >>>> 7cOdm/DGQ7u4cfaW5iU57RRYBXZCajE7xQWRj3yyMJGBm/pn+0IXNN50sjtO6VX2 >>>> AEwFtOVxvqSph8x7DDCUK3ZFQgmBgTouigqgKfM41ipamNn/Ri9IR0PxSxXfpo30 >>>> akCMYmN/gkmSxgZNzECzdc5kAe9mp+gRemoTZLLgZonzW/bD4H4i6jhrmzD/kCp9 >>>> i95y6jSZJR4sPMpSKJ7F8Pa8U0i1H0emBHVK+i9QPBDucH4CncZObm4O/MH7+H1p >>>> u3AjjVKUSWaKl419WOvL7FbXAbt0U2IVaBq5MTPgC9o= >>>> -----END X509 CRL----- >>>> >>>> So OpenSSL thinks the CRL is ok. My own application also thinks the CRL >>>> is ok. The issue with the extra space is an OpenSSL "issue". It seems >>>> that the code for x509 outputs an extra space after : but the code for >>>> crl does not. >>>> >>>> Kind regards, >>>> >>>> Martijn Brinkers >>>> >>>> >>>> -- >>>> DJIGZO email encryption >>>> >>>>> > ------------------------------------------------------------------------ >>>>> *From:* ejbca-support <ejb...@pr... > <mailto:ejb...@pr...> <mailto:ejb...@pr... > <mailto:ejb...@pr...>> <mailto:ejb...@pr... > <mailto:ejb...@pr...> <mailto:ejb...@pr... > <mailto:ejb...@pr...>>>> >>>>> *To:* Alireza Karbasian <ili...@ya... > <mailto:ili...@ya...> <mailto:ili...@ya... > <mailto:ili...@ya...>> <mailto:ili...@ya... > <mailto:ili...@ya...> <mailto:ili...@ya... > <mailto:ili...@ya...>>>>; >>>>> ejb...@li... > <mailto:ejb...@li...> > <mailto:ejb...@li... > <mailto:ejb...@li...>> > <mailto:ejb...@li... > <mailto:ejb...@li...> > <mailto:ejb...@li... > <mailto:ejb...@li...>>> >>>>> *Sent:* Thursday, February 7, 2013 4:55 PM >>>>> *Subject:* Re: [Ejbca-develop] Issuer mismatch error >>>>> >>>>> On 2013-02-07 14:05, Alireza Karbasian wrote: >>>>> > hello >>>>> > >>>>> > I used EJBCA (4.0.13) to issue a certificate for PDF signing. >>>>> everything seemed good and documents got signed! now when I opens > my PDF >>>>> in adobe reader it tries to validate certificate against the CRL > with my >>>>> CDP. it can access it but it gives me an error that "Issuer names > mismatch". >>>>> > I used these commands to check the issuer names: >>>>> >>>openssl x509 -in signing.pem -issuer -noout >>>>> >>>openssl crl -in crl.pem -issuer -noout >>>>> > >>>>> > and this is the output: >>>>> > openssl x509 -in test.pem -issuer -noout >>>>> > *issuer= /CN=AdminCA1/O=EJBCA Sample/C=SE* >>>>> > openssl crl -in crl.pem -issuer -noout >>>>> > *issuer=/CN=AdminCA1/O=EJBCA Sample/C=SE* >>>>> > ** >>>>> >>>>> Hi Alireza, >>>>> I have never heard about this before, can you send a >>>>> pasted certificate for us to study? >>>>> >>>>> Cheers >>>>> Anders >>>>> tech support >>>>> >>>>> >>>>> > as you can see there is space character in the beginning of >>>>> certificate issuer DN. I googled this and came to see there are some >>>>> discussions about this and assumed that this is a bug (in opnessl >>>>> maybe)! but no solutions! >>>>> > I could not find any related configuration in EJBCA to solve > this and >>>>> yet I'm not sure even that this is a bug! did anybody encountered > such a >>>>> problem? is this a bug in EJBCA? any help or guide will be appreciated! >>>>> > >>>>> > >>>>> > >>>>> > ------------------------------------------------------------------------------ >>>>> > Free Next-Gen Firewall Hardware Offer >>>>> > Buy your Sophos next-gen firewall before the end March 2013 >>>>> > and get the hardware for free! Learn more. >>>>> > http://p.sf.net/sfu/sophos-d2d-feb >>>>> > >>>>> > >>>>> > >>>>> > _______________________________________________ >>>>> > Ejbca-develop mailing list >>>>> > Ejb...@li... > <mailto:Ejb...@li...> > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > <mailto:Ejb...@li... > <mailto:Ejb...@li...> > <mailto:Ejb...@li... > <mailto:Ejb...@li...>>> >>>>> <mailto:Ejb...@li... > <mailto:Ejb...@li...> > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > <mailto:Ejb...@li... > <mailto:Ejb...@li...> > <mailto:Ejb...@li... > <mailto:Ejb...@li...>>>> >>>>> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>> > >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> > ------------------------------------------------------------------------------ >>>>> Free Next-Gen Firewall Hardware Offer >>>>> Buy your Sophos next-gen firewall before the end March 2013 >>>>> and get the hardware for free! Learn more. >>>>> http://p.sf.net/sfu/sophos-d2d-feb >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Ejbca-develop mailing list >>>>> Ejb...@li... > <mailto:Ejb...@li...> > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > <mailto:Ejb...@li... > <mailto:Ejb...@li...> > <mailto:Ejb...@li... > <mailto:Ejb...@li...>>> >>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>> >>>> >>>> > ------------------------------------------------------------------------------ >>>> Free Next-Gen Firewall Hardware Offer >>>> Buy your Sophos next-gen firewall before the end March 2013 >>>> and get the hardware for free! Learn more. >>>> http://p.sf.net/sfu/sophos-d2d-feb >>>> _______________________________________________ >>>> Ejbca-develop mailing list >>>> Ejb...@li... > <mailto:Ejb...@li...> > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > <mailto:Ejb...@li... > <mailto:Ejb...@li...> > <mailto:Ejb...@li... > <mailto:Ejb...@li...>>> >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>> >>>> >>>> >>>> >>>> > ------------------------------------------------------------------------------ >>>> Free Next-Gen Firewall Hardware Offer >>>> Buy your Sophos next-gen firewall before the end March 2013 >>>> and get the hardware for free! Learn more. >>>> http://p.sf.net/sfu/sophos-d2d-feb >>>> >>>> >>>> >>>> _______________________________________________ >>>> Ejbca-develop mailing list >>>> Ejb...@li... > <mailto:Ejb...@li...> > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>> >>> >>> >>> >>> >>> > ------------------------------------------------------------------------------ >>> Free Next-Gen Firewall Hardware Offer >>> Buy your Sophos next-gen firewall before the end March 2013 >>> and get the hardware for free! Learn more. >>> http://p.sf.net/sfu/sophos-d2d-feb >>> >>> >>> >>> _______________________________________________ >>> Ejbca-develop mailing list >>> Ejb...@li... > <mailto:Ejb...@li...> >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>> >> >> > ------------------------------------------------------------------------------ >> Free Next-Gen Firewall Hardware Offer >> Buy your Sophos next-gen firewall before the end March 2013 >> and get the hardware for free! Learn more. >> http://p.sf.net/sfu/sophos-d2d-feb >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... > <mailto:Ejb...@li...> >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > > ------------------------------------------------------------------------------ > Free Next-Gen Firewall Hardware Offer > Buy your Sophos next-gen firewall before the end March 2013 > and get the hardware for free! Learn more. > http://p.sf.net/sfu/sophos-d2d-feb > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > <mailto:Ejb...@li...> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > ------------------------------------------------------------------------------ > Free Next-Gen Firewall Hardware Offer > Buy your Sophos next-gen firewall before the end March 2013 > and get the hardware for free! Learn more. > http://p.sf.net/sfu/sophos-d2d-feb > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop -- Andreas Bürki ab...@an... S/MIME certificate - SHA1 fingerprint: ED:A5:F3:60:70:8B:4C:16:44:18:96:AE:67:B9:CA:77:AE:DA:83:11 GnuPG - GPG fingerprint: 5DA7 5F48 25BD D2D7 E488 05DF 5A99 A321 7E42 0227 |