Should CRL from CA2 fail user auth with certs issued by CA1 if CRL from CA1?

rosect · 02-07-2014, 12:37 PM

I have two CAs, say CA1 and CA2. I will use user cert issued by CA1 to do auth. But, I will include CRL published by CA2 in my system.

openSSL seems to throw the error of X509_V_ERR_UNABLE_TO_GET_CRL, which means a CRL can not be found.

It is true that it can not be found because I did not include it. I included a CRL from another CA.

My question is: why a CRL from a CA bothers the auth with certs from another CA?

unSpawn · 02-08-2014, 07:07 AM

Quote:

Originally Posted by rosect

My question is: why a CRL from a CA bothers the auth with certs from another CA?

Lets return the question: what would be the purpose of a verification request validating against or trusting a CRL from a CA that resides outside its path or trust?