>I am testing with revoking certificates. > >My PKI has a root and 2 intermediates, which then sign server and client certificates >My test environment consists of a s_client and a s_server referencing the corresponding files and a verifydir with c_rehased files. >TLS connections work fine from s_client to s_server, chain is exposed and recognized properly. > >I successfully revoked server-certificates with the intermediate ca crl. >When trying to connect using the s_client "-crl_check" arg the "certificate revoked" notification shows up correctly. > >I also successfully created a crl with the root ca, that revokes one of the intermediates. >The serialnumber of the revoked intermediate is shown correctly in the crl and the crl is c_rehashed in the verify dir of the client. >But no matter what i try, the s_client does NOT show the "certificate revoked" when I connect to the corresponding s_server using the certificate signed by the revoked intermediate. > >Any ideas what i could be doing wrong? > >I am on version OpenSSL 1.0.1f 6 Jan 2014 Thanks for the answers and the time spend. Sorry, did not mean to trigger a debate of principles :-) In further tracking down the cause i was trying to use "openssl verify" commands. When I issue the "openssl verify -CApath verifydir -crl_check revokedIntermediate.crt" the intermediate cert is correctly shown as revoked, so the content of the verifydir is fine I think. Somehow s_client does not recognize that, when connecting to the corresponding s_server.
