Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-RT-Original-Encoding: iso-8859-1 Content-Length: 1929 DOE PIV certificates have 2 signing CAs that have the same subject name but different X509v3 Subject Key Identifiers. Their CRL distribution links are: http://sspweb.managed.entrust.com/CRLs/EMSSSPCA1.crl http://sspweb.managed.entrust.com/CRLs/EMSSSPCA2.crl Their corresponding CRLs have issuer names and Authority Key Identifier of: /C=US/O=Entrust/OU=Certification Authorities/OU=Entrust Managed Services SSP CA Hash file 99b3b749.r0 X509v3 Authority Key Identifier: keyid:D3:CE:E7:5B:89:A7:CD:6C:91:C6:67:36:A9:58:72:09:EC:E2:39:F3 The newer badges have an issuing CA with the same name but a different X509v3 Authority Key Identifier: /C=US/O=Entrust/OU=Certification Authorities/OU=Entrust Managed Services SSP CA Hash file 99b3b749.r0 X509v3 Authority Key Identifier: keyid:55:B4:6C:33:3F:E3:60:1A:A7:FF:C3:ED:B4:F7:E4:04:DA:29:D0:63 The code below will not allow both CRLs to be loaded because X509_CRL_cmp only compares issuer names and not both issuer name and Authority Key Identifier. This causes pkinit certificate verification (X509_verify_cert) to fail with the code X509_V_ERR_UNABLE_TO_GET_CRL. By eliminating the code and just calling "sk_X509_CRL_push(ca_crls, X509_CRL_dup(xi->crl));" fixes the problem. A better fix would to compare issuer name and Authority Key Identifier but I could not find an openssl calls that did that. In pkinit_crypto_openssl.c function load_cas_and_crls() for (j = 0; j < size; j++) { X509_CRL *x = sk_X509_CRL_value(ca_crls, j); flag = X509_CRL_cmp(x, xi->crl); if (flag == 0) break; else continue; } if (flag != 0) { pkiDebug("%s: pushing xi->crl onto ca_crl\n", __FUNCTION__); sk_X509_CRL_push(ca_crls, X509_CRL_dup(xi->crl)); }