> This is not a check of the intermediate certificate as an actual > intermediate in a chain, this only checks it as a leaf certificate. > Your entire chain is just: > root ---> revokedIntermediate Yes - as a leaf of root, using the roots crl to see if any root-signed certs are revoked. > Try: > openssl s_client -crl_check_all ... Works! Great, thanks for the hint Viktor. Just recognized, that the manpage lists the "crl_check_all" options right after the "crl_check", which i used... >_< Using the crl_check_all it also complains about a missing crl now, when I remove the root's crl from the store. This wasnt the case when using crl_check, which also wondered me a bit before. Not it all makes sense :-) Thanks again!
