Menu
▾
▴
Re: [Ejbca-develop] Issuer mismatch error
|
From: ejbca-support <ejb...@pr...> - 2013-02-09 15:19:20
|
On 2013-02-09 14:37, Alireza Karbasian wrote: > > Well I figured out the problem and i thought to explain it here maybe it can help someone! > in fact the problem was with crl issuer filed in certificate profiles under CDP Address! if you generate this field it will appear in certificate under CDP as Directory access info! > now the bug or mistake is with adobe reader! it compares this filed with certificate (or CRL) issuer and generates an "issuer mismatch" error! but it must compare for example cert.authorityKeyIdentifier=crl.authortyKeyIdentifier=ca.subjectKeyIdentifier > > I removed this filed and it's working! Alireza, I happy to hear that it works and very much appreciate that you shared the solution with the EJBCA community! Cheers Anders tech support > > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ > *From:* Tham Wickenberg <ejb...@pr...> > *To:* Alireza Karbasian <ili...@ya...>; ejb...@li... > *Sent:* Friday, February 8, 2013 7:44 PM > *Subject:* Re: [Ejbca-develop] Issuer mismatch error > > Hello, > > * I curled the CRL from the CDP and the the CRL verifies with OpenSSL > > * I printed info in certificates, it looks good to me > > * I verified the certificate against CA chain but NOT CRL it checks out OK > openssl verify -verbose -CAfile chain.pem certdownloadedFromEJBCA.pem > > certdownloadedFromEJBCA.pem: OK > > * I try to verify the certificate against CA AND CRL (CDP) and it fails > openssl verify -verbose -crl_check -CAfile chain.pem > certdownloadedFromEJBCA.pem > > certdownloadedFromEJBCA.pem: /CN=RooznamehRasmi/OU=rooznameh > rasmi/O=JUD/C=IR > error 3 at 0 depth lookup:unable to get certificate CRL > > I am unsure what this means however. > > /Tham Wickenberg > > > On 2/8/13 4:37 PM, ejbca-support wrote: >> On 2013-02-08 15:31, Alireza Karbasian wrote: >>> ok if we assume that this is just a printout issue in openssl so what's happenning to main certificates from ejbca? i used the PEM certificate downloaded from EJBCA and not the converted one with openssl. i send the ca chain and signed pdf so you can check it out! i see the error in adobe acrobat 9,10 and 11 ! >> Hi Alireza >> Could you check that the CRL does not verify with OpenSSL? >> I don't see any problems but the PDF didn't validate here either :-) >> >> Anders >>> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------ >>> *From:* ejbca-support <ejb...@pr... <mailto:ejb...@pr...>> >>> *To:* Alireza Karbasian <ili...@ya... <mailto:ili...@ya...>>; ejb...@li... <mailto:ejb...@li...> >>> *Sent:* Friday, February 8, 2013 3:48 PM >>> *Subject:* Re: [Ejbca-develop] Issuer mismatch error >>> >>> On 2013-02-08 13:05, Alireza Karbasian wrote: >>>> yes! this is what i guessed also! but the problem is this that i did not >>>> convert the certificates with openssl but i downloaded the PEM certificate >>>> from EJBCA and published CRL in CDP and same thing happens! >>>> is it possible that this is something related to PEM standard? >>> No, this is just a printout formatting issue in OpenSSL. >>> Cheers >>> Anders >>> tech support >>>> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ > ------------------------ >>>> *From:* martijn.list <mar...@gm... <mailto:mar...@gm...> <mailto:mar...@gm... <mailto:mar...@gm...>>> >>>> *To:* ejb...@li... <mailto:ejb...@li...> <mailto:ejb...@li... <mailto:ejb...@li...>> >>>> *Sent:* Thursday, February 7, 2013 11:03 PM >>>> *Subject:* Re: [Ejbca-develop] Issuer mismatch error >>>> >>>> Hi, >>>> >>>> On 02/07/2013 08:12 PM, Alireza Karbasian wrote: >>>>> The attached file contains the test certificates. the certificate here >>>>> is not issued for pdf signing but this is the same thing that happens to >>>>> original certificates. >>>> Verification with OpenSSL seems to be ok after conversion of ca.cer to >>>> PEM (ca.cer.pem) >>>> >>>> openssl crl -in AdminCA1\(downloadedFromEJBCA\).crl -CAfile ca.cer.pem >>>> -inform DER >>>> >>>> martijn@coolermaster:~/temp/certs$ openssl crl -in >>>> AdminCA1\(downloadedFromEJBCA\).crl -CAfile ca.cer.pem -inform DER >>>> verify OK >>>> -----BEGIN X509 CRL----- >>>> MIICLDCCARQCAQEwDQYJKoZIhvcNAQEFBQAwNzERMA8GA1UEAwwIQWRtaW5DQTEx >>>> FTATBgNVBAoMDEVKQkNBIFNhbXBsZTELMAkGA1UEBhMCU0UXDTEzMDIwNzEyMzY0 >>>> N1oXDTEzMDIwODEyMzY0N1qggagwgaUwHwYDVR0jBBgwFoAU3BKuSh4TQDbsjtGJ >>>> S9LNaUfIO5gwCgYDVR0UBAMCAQIwdgYDVR0cBG8wbaBroGmGZ2h0dHA6Ly9pbGlh >>>> Y2EuaXI6ODA4MC9lamJjYS9wdWJsaWN3ZWIvd2ViZGlzdC9jZXJ0ZGlzdD9jbWQ9 >>>> Y3JsJmlzc3Vlcj1DTj1BZG1pbkNBMSxPPUVKQkNBJTIwU2FtcGxlLEM9U0UwDQYJ >>>> KoZIhvcNAQEFBQADggEBAHEj9XbM6634R2TtGOtSRGIpbML+/ZF9C/dLBxb76b21 >>>> 7cOdm/DGQ7u4cfaW5iU57RRYBXZCajE7xQWRj3yyMJGBm/pn+0IXNN50sjtO6VX2 >>>> AEwFtOVxvqSph8x7DDCUK3ZFQgmBgTouigqgKfM41ipamNn/Ri9IR0PxSxXfpo30 >>>> akCMYmN/gkmSxgZNzECzdc5kAe9mp+gRemoTZLLgZonzW/bD4H4i6jhrmzD/kCp9 >>>> i95y6jSZJR4sPMpSKJ7F8Pa8U0i1H0emBHVK+i9QPBDucH4CncZObm4O/MH7+H1p >>>> u3AjjVKUSWaKl419WOvL7FbXAbt0U2IVaBq5MTPgC9o= >>>> -----END X509 CRL----- >>>> >>>> So OpenSSL thinks the CRL is ok. My own application also thinks the CRL >>>> is ok. The issue with the extra space is an OpenSSL "issue". It seems >>>> that the code for x509 outputs an extra space after : but the code for >>>> crl does not. >>>> >>>> Kind regards, >>>> >>>> Martijn Brinkers >>>> >>>> >>>> -- >>>> DJIGZO email encryption >>>> >>>>> ------------------------------------------------------------------------ >>>>> *From:* ejbca-support <ejb...@pr... <mailto:ejb...@pr...> <mailto:ejb...@pr... <mailto:ejb...@pr...>> <mailto:ejb...@pr... <mailto:ejb...@pr...> <mailto:ejb...@pr... <mailto:ejb...@pr...>>>> >>>>> *To:* Alireza Karbasian <ili...@ya... <mailto:ili...@ya...> <mailto:ili...@ya... <mailto:ili...@ya...>> <mailto:ili...@ya... <mailto:ili...@ya...> <mailto:ili...@ya... <mailto:ili...@ya...>>>>; >>>>> ejb...@li... <mailto:ejb...@li...> <mailto:ejb...@li... <mailto:ejb...@li...>> <mailto:ejb...@li... <mailto:ejb...@li...> <mailto:ejb...@li... <mailto:ejb...@li...>>> >>>>> *Sent:* Thursday, February 7, 2013 4:55 PM >>>>> *Subject:* Re: [Ejbca-develop] Issuer mismatch error >>>>> >>>>> On 2013-02-07 14:05, Alireza Karbasian wrote: >>>>> > hello >>>>> > >>>>> > I used EJBCA (4.0.13) to issue a certificate for PDF signing. >>>>> everything seemed good and documents got signed! now when I opens my PDF >>>>> in adobe reader it tries to validate certificate against the CRL with my >>>>> CDP. it can access it but it gives me an error that "Issuer names mismatch". >>>>> > I used these commands to check the issuer names: >>>>> >>>openssl x509 -in signing.pem -issuer -noout >>>>> >>>openssl crl -in crl.pem -issuer -noout >>>>> > >>>>> > and this is the output: >>>>> > openssl x509 -in test.pem -issuer -noout >>>>> > *issuer= /CN=AdminCA1/O=EJBCA Sample/C=SE* >>>>> > openssl crl -in crl.pem -issuer -noout >>>>> > *issuer=/CN=AdminCA1/O=EJBCA Sample/C=SE* >>>>> > ** >>>>> >>>>> Hi Alireza, >>>>> I have never heard about this before, can you send a >>>>> pasted certificate for us to study? >>>>> >>>>> Cheers >>>>> Anders >>>>> tech support >>>>> >>>>> >>>>> > as you can see there is space character in the beginning of >>>>> certificate issuer DN. I googled this and came to see there are some >>>>> discussions about this and assumed that this is a bug (in opnessl >>>>> maybe)! but no solutions! >>>>> > I could not find any related configuration in EJBCA to solve this and >>>>> yet I'm not sure even that this is a bug! did anybody encountered such a >>>>> problem? is this a bug in EJBCA? any help or guide will be appreciated! >>>>> > >>>>> > >>>>> > >>>>> ------------------------------------------------------------------------------ >>>>> > Free Next-Gen Firewall Hardware Offer >>>>> > Buy your Sophos next-gen firewall before the end March 2013 >>>>> > and get the hardware for free! Learn more. >>>>> > http://p.sf.net/sfu/sophos-d2d-feb >>>>> > >>>>> > >>>>> > >>>>> > _______________________________________________ >>>>> > Ejbca-develop mailing list >>>>> > Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>> <mailto:Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>>> >>>>> <mailto:Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>> <mailto:Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>>>> >>>>> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>> > >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Free Next-Gen Firewall Hardware Offer >>>>> Buy your Sophos next-gen firewall before the end March 2013 >>>>> and get the hardware for free! Learn more. >>>>> http://p.sf.net/sfu/sophos-d2d-feb >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Ejbca-develop mailing list >>>>> Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>> <mailto:Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>>> >>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Free Next-Gen Firewall Hardware Offer >>>> Buy your Sophos next-gen firewall before the end March 2013 >>>> and get the hardware for free! Learn more. >>>> http://p.sf.net/sfu/sophos-d2d-feb >>>> _______________________________________________ >>>> Ejbca-develop mailing list >>>> Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>> <mailto:Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>>> >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Free Next-Gen Firewall Hardware Offer >>>> Buy your Sophos next-gen firewall before the end March 2013 >>>> and get the hardware for free! Learn more. >>>> http://p.sf.net/sfu/sophos-d2d-feb >>>> >>>> >>>> >>>> _______________________________________________ >>>> Ejbca-develop mailing list >>>> Ejb...@li... <mailto:Ejb...@li...> <mailto:Ejb...@li... <mailto:Ejb...@li...>> >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>> >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Free Next-Gen Firewall Hardware Offer >>> Buy your Sophos next-gen firewall before the end March 2013 >>> and get the hardware for free! Learn more. >>> http://p.sf.net/sfu/sophos-d2d-feb >>> >>> >>> >>> _______________________________________________ >>> Ejbca-develop mailing list >>> Ejb...@li... <mailto:Ejb...@li...> >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>> >> >> ------------------------------------------------------------------------------ >> Free Next-Gen Firewall Hardware Offer >> Buy your Sophos next-gen firewall before the end March 2013 >> and get the hardware for free! Learn more. >> http://p.sf.net/sfu/sophos-d2d-feb >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... <mailto:Ejb...@li...> >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > > ------------------------------------------------------------------------------ > Free Next-Gen Firewall Hardware Offer > Buy your Sophos next-gen firewall before the end March 2013 > and get the hardware for free! Learn more. > http://p.sf.net/sfu/sophos-d2d-feb > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... <mailto:Ejb...@li...> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > ------------------------------------------------------------------------------ > Free Next-Gen Firewall Hardware Offer > Buy your Sophos next-gen firewall before the end March 2013 > and get the hardware for free! Learn more. > http://p.sf.net/sfu/sophos-d2d-feb > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
