openssl CLI - verify CRL of an entire certification chain

Question

I'm using OpenSSL to verify a signed code in a custom PKI. How can I verify the CRL of each node of the cert hierarchy.

My hierarchy is : RootCA -> SubCA1 -> SubCA2 -> EndUser. I can verify the CRL for one depth chain :

~/$ cat RootCA.crl.pem RootCA.pem > RootCA.chain.pem
~/$ openssl verify -check_crl -CAfile RootCA.chain.pem SubCA1.pem
CN = SubCA1
SubCA1.pem: OK

However, when I try to achieve the same thing with multiple subCA, the CRL validationf fails :

~/$ cat RootCA.crl.pem RootCA.pem > RootCA.chain.pem
~/$ cat SubCA1.crl.pem SubCA1.pem > SubCA1.chain.pem
~/$ openssl verify -check_crl -CAfile RootCA.chain.pem -untrusted SubCA1.chain.pem SubCA2.pem
CN = SubCA1
error 3 at depth 0 lookup: unable to get certificate CRL
error SubCA2.pem: verification failed

Is it possible to achieve this multi-depth verification of the CRL ? I've also tried with -check_crl_all, but it give the same error.

Answer 1

As per https://raymii.org/s/articles/OpenSSL_manually_verify_a_certificate_against_a_CRL.html Check output for each node in cert hierarchy except for root CA as it is self signed & self signed don't include CRL.

openssl x509 -noout -text -in SubCA2.pem | grep -A 4 'X509v3 CRL Distribution Points'

It should show something like

X509v3 CRL Distribution Points: 
    Full Name:
   URI:http://crl.globalsign.com/gs/gsorganizationvalsha2g2.crl

Or else your SSL certificate doesn't contains CRL url most probably a self signed certificate.

If you get above output store CRl in pem file using

wget -O crl.der http://crl.globalsign.com/gs/gsorganizationvalsha2g2.crl
openssl crl -inform DER -in crl.der -outform PEM -out crl.pem

& verify using

openssl verify -crl_check -CAfile crl_chain.pem crl.pem