Hi! I'm trying to verify a timestamp that was signed using a signer certificate that has been issued by an intermediate CA. I'm only able to verify when specifying the intermediate CA certificate as "-untrusted" and the root CA cert as "-CAfile": openssl ts -verify -in /tmp/out10.tsp -queryfile /tmp/out10.tsq -CAfile res/test/dss10/DSSRootCA10.cacert.pem -untrusted res/test/dss10/DSSSubCA11.cacert.pem Using configuration from /usr/lib/ssl/openssl.cnf Verification: OK When running with just -CAfile pointing to the intermediate CA cert, I get: Using configuration from /usr/lib/ssl/openssl.cnf Verification: FAILED 140693337339136:error:2F06D064:time stamp routines:ts_verify_cert:certificate verify error:../crypto/ts/ts_rsp_verify.c:182:Verify error:unable to get issuer certificate And if setting -CAfile to point to the root CA cert: Using configuration from /usr/lib/ssl/openssl.cnf Verification: FAILED 140228374308096:error:2F06D064:time stamp routines:ts_verify_cert:certificate verify error:../crypto/ts/ts_rsp_verify.c:182:Verify error:unable to get local issuer certificate I'm thinking both these variants should have worked (the timestamp response is including the complete chain in the ESSCertID structure). Attached are the CA certs, the signer cert (ts00003.pem), the query (out10.tsq), and the response (out10.tsp) Regards, Marcus Lundblad
Attachment:
DSSRootCA10.cacert.pem
Description: application/pem-file
Attachment:
DSSSubCA11.cacert.pem
Description: application/x509-ca-cert
Attachment:
out10.tsp
Description: Binary data
Attachment:
out10.tsq
Description: Binary data
Attachment:
ts00003.pem
Description: application/x509-ca-cert
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
