问题
I'm currently trying to verify that the CRL I download from a URL is a valid file, signed by the corresponding Certificate Authority.
With OpenSSL, you can do this as follows :
https://www.openssl.org/docs/manmaster/apps/crl.html
Example with the CRL issued from CertEurope :
openssl crl -in certeurope_v3.crl -inform der -CAfile certeurope_advanced_v3.cer
(The CRL file and the CA file are downloaded from this URL : https://www.certeurope.fr/chaine-de-confiance )
- CA file : https://www.certeurope.fr/reference/certeurope_advanced_v3.cer
- CRL file : https://www.certeurope.fr/reference/certeurope_v3.crl
Unfortunately, OpenSSL gets an error with that commmand line saying :
"Error getting CRL issuer certificate"
Regarding this link : https://www.openssl.org/docs/manmaster/apps/verify.html The reason seems to be this :
20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found.
Is this because the CA file is not the one used to sign the CRL file ? Is there another way to verify that the CRL file I download is valid ?
回答1:
dave_thompson_085 's answer fixed my problem. You need a PEM certificate to check CRL validity. Thanks again.
来源:https://stackoverflow.com/questions/34284375/verify-crl-signature-against-its-root-ca