File A - This is my CRL File - http://pastebin.com/yvstfPTD
File B - It's signed by this cert - http://pastebin.com/T1pXZSat
File C - The CRL signing cert has been issued by this CA http://pastebin.com/Q82PZCh1
File B & C are in directory dir1
When I issue command
openssl crl -in A -CApath dir1
I get the error
Error getting CRL issuer certificate
This is a vague error message.
How do I figure our what's the problem here?
All files are in PEM format
TLDR: IT'S THE WRONG CERT
The issuer name in that CRL is
$ openssl crl -in file0 -noout -issuer
issuer=/C=IN/O=Gujarat Narmada Valley Fertilizers Company Ltd./OU=Certifying Authority/postalCode=380054/ST=Gujarat/street=Bodakdev, S G Road, Ahmedabad/houseIdentifier=301, GNFC Infotower/CN=(n)Code Solutions CA 2011-1
The subject name in your purported signing cert is
$ openssl x509 -in file1 -noout -subject
subject= /C=IN/O=Gujarat Narmada Valley Fertilizers and Chemicals Limited/OU=Certifying Authority/postalCode=380054/ST=Gujarat/street=Bodakdev, S G Road, Ahmedabad/houseIdentifier=301, GNFC Infotower/CN=(n)Code Solutions CA 2014
These are not the same. The first one is 'Fertilizers Company Ltd.' while the second one is 'Fertilizers and Chemicals Limited' and the year (or year-like number) in CN is different.
In addition, if I ignore this mismatch and check manually, the RSA signature in the CRL does not 'decrypt' (more accurately, recover) to valid PKCS1-v1_5 padding using the key in the purported signing certificate. This means it was signed with a different keypair, which must have a different cert.
