Fresh certificate marked as expired / messed-up certificate chain pulling expired root cert in gpgsm
Ángel
angel at pgp.16bits.net
Mon Jul 22 00:44:08 CEST 2019
On 2019-07-20 at 20:07 +0200, Dr. Thomas Orgis wrote:
> The chain in the imported new key & cert file how it should be:
>
> 4. Thomas Orgis (me) signed by DFN-Verein Global Issuing CA
> 3. DFN-Verein Global Issuing CA signed by DFN-Verein Certification Authority 2
> 2. DFN-Verein Certification Authority 2 signed by T-TeleSec GlobalRoot Class 2
> 1. T-TeleSec GlobalRoot Class 2 signed by T-TeleSec GlobalRoot Class 2 (root)
>
> Compared to what gpgsm sees/shows:
>
> 4. Thomas Orgis (me) signed by DFN-Verein Global Issuing CA
> 3. DFN-Verein Global Issuing CA signed by DFN-Verein Certification Authority 2
> 2. DFN-Verein Certification Authority 2 signed by T-TeleSec GlobalRoot Class 2
> 1. T-TeleSec GlobalRoot Class 2 signed by Deutsche Telekom Root CA 2
> 0. Deutsche Telekom Root CA 2 signed by Deutsche Telekom Root CA 2 (expired root)
>
> (...)
> I'd like to have understood first what happened here.
Well, it seems that «T-TeleSec GlobalRoot Class 2» was cross-signed by
«Deutsche Telekom Root CA 2».
This is typically done with new roots so that people with an older set
of roots can trust it through an older one.
Now, your problem is that the old Root CA expired and your client is not
able to find the new trust path.
I would probably try deleting the T-TeleSec GlobalRoot Class 2 and
reimporting it from the root, to see if that helps.
More information about the Gnupg-users
mailing list