Problems with cert validation via CRL

David Gray deg at davidegray.com
Tue Feb 21 18:59:16 CET 2017 

Thanks, Peter!

According to the documentation the trusted certainty need to be in a folder named "trusted-certs" in the home directory.  I don't believe I've copied them there manually, so if it hasn't happened automatically that could very well be the issue.  I'm at work but once I get home I'll check it out and report back.

Really appreciate the help,

Dave

Sent from my iPhone

> On Feb 21, 2017, at 10:13 AM, Peter Lebbing <peter at digitalbrains.com> wrote:
> 
>> On 21/02/17 13:20, David Gray wrote:
>> I'm no expert, but when I look at the debug info (attached to
>> original email), it appears that gpgsm is able to get the crl that my
>> cert points to but it may be having trouble parsing it.
> 
> Reading that part made me think it couldn't find the issuer of the CRL:
> 
>> dirmngr[3184.0]: error fetching certificate by subject: Configuration error
>> dirmngr[3184.0]: CRL issuer certificate {92616B82E1A2A0AA4FEC67F1C2A3F7B48000C1EC} not found
> 
> When I fetch the CRL we're talking about, OpenSSL tells me about it:
> 
>> Certificate Revocation List (CRL):
>>        Version 2 (0x1)
>>    Signature Algorithm: sha256WithRSAEncryption
>>        Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO SHA-256 Client Authentication and Secure Email CA
>>        Last Update: Feb 20 16:07:34 2017 GMT
>>        Next Update: Feb 24 16:07:34 2017 GMT
>>        CRL extensions:
>>            X509v3 Authority Key Identifier: 
>>                keyid:92:61:6B:82:E1:A2:A0:AA:4F:EC:67:F1:C2:A3:F7:B4:80:00:C1:EC
>> 
>>            X509v3 CRL Number: 
>>                822
> 
> The issuer is the certificate that gpgsm knows about:
> 
>> Certificate:
>>    Data:
>>        Version: 3 (0x2)
>>        Serial Number:
>>            e0:23:cb:15:12:83:53:89:ad:61:6e:7a:54:67:6b:21
>>    Signature Algorithm: sha256WithRSAEncryption
>>        Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
>>        Validity
>>            Not Before: Dec 22 00:00:00 2014 GMT
>>            Not After : May 30 10:48:38 2020 GMT
>>        Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO SHA-256 Client Authentication and Secure Email CA
>> [...]
>>        X509v3 extensions:
>>            X509v3 Authority Key Identifier: 
>>                keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
>> 
>>            X509v3 Subject Key Identifier: 
>>                92:61:6B:82:E1:A2:A0:AA:4F:EC:67:F1:C2:A3:F7:B4:80:00:C1:EC
>> [...]
>> SHA1 Fingerprint=59:B8:25:FC:08:86:0B:04:B3:92:CC:25:FE:C4:8C:76:07:53:B6:89
> 
> I suspect that even though gpgsm knows about it, dirmngr might not,
> hence the failing CRL verification. I think you need to feed the
> certificate to dirmngr as well.
> 
> Whether this is actually the reason you're having problems, I don't know.
> 
> HTH,
> 
> Peter.
> 
> -- 
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
>

More information about the Gnupg-users mailing list