On Wed, Jan 16, 2008, rfx wrote:

> I make new path using hash name/ ".0" extension for certificat/".r0"
> extension for CRL
>
> The function: 'verify -CApath @CRLCA\ -issuer_checks -crl_check
> "SignCertPEM.cer"
>
> The result is :
> SignCertPEM.cer:
> /C=FR/O=GIP-CPS/OU=M\xE9decin/CN=0081013443/SN=ROUSSIA/GN=FRANCK
> error 29 at 0 depth lookup:subject issuer mismatch
> /C=FR/O=GIP-CPS/OU=M\xE9decin/CN=0081013443/SN=ROUSSIA/GN=FRANCK
> error 29 at 0 depth lookup:subject issuer mismatch
> /C=FR/O=GIP-CPS/OU=M\xE9decin/CN=0081013443/SN=ROUSSIA/GN=FRANCK
> error 29 at 0 depth lookup:subject issuer mismatch
> /C=FR/O=GIP-CPS/OU=GIP-CPS PROFESSIONNEL/CN=GIP-CPS CLASSE-1
> error 29 at 0 depth lookup:subject issuer mismatch
> /C=FR/O=GIP-CPS/OU=M\xE9decin/CN=0081013443/SN=ROUSSIA/GN=FRANCK
> error 35 at 0 depth lookup:key usage does not include CRL signing
>
> Two questions :
>
> 1) Why the "subject issuer mismatch" error ? also when the result is OK
>
> 2) For this example what mean the error "key usage does not include CRL
> signing" ?
>


Read the manual page entry for the diagnostic option -issuer_checks

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org