Fresh certificate get's pulled into certificate chain with expired root certificate
Open, HighPublic

Description

Hi,

i have the same problem described as in this post on the mailing list. Unfortunately deleting of expired root certificate is only short-time solution in my setup. This is because, by reading old emails my email client pulls the old root certificate so it could check the expired signatures from email from few years ago.

PROBLEM DESCRIPTION
My certificate constantly gets pulled into expired chain if the expired certificate exits.

The correct chain is as follows (please see the attachments for more details on the chain):

  1. Denis Stogl (me) signed by KIT-CA
  2. KIT-CA signed by DFN-Verein Certification Authority 2
  3. DFN-Verein Certification Authority 2 signed by T-TeleSec GlobalRoot Class 2
  4. T-TeleSec GlobalRoot Class 2 signed by T-TeleSec GlobalRoot Class 2 (root)

The wrong chain:

  1. Denis Stogl (me) signed by KIT-CA
  2. KIT-CA signed by DFN-Verein Certification Authority 2
  3. DFN-Verein Certification Authority 2 signed by T-TeleSec GlobalRoot Class 2
  4. T-TeleSec GlobalRoot Class 2 signed by Deutsche Telekom Root CA 2 (expired)
  5. Deutsche Telekom Root CA 2 signed by Deutsche Telekom Root CA 2 (expired)

The concrete problem is that at step 3 to 4 gpgsm is using expired "T-TeleSec GlobalRoot Class 2" in the chain instead of the current one. If I delete expired certificates "T-TeleSec GlobalRoot Class 2" or "DFN-Verein Certification Authority 2" and import my private key again the chain gets correct and the current "T-TeleSec GlobalRoot Class 2" is used in the chain.

Do you have any idea what is happening here? Please look at the discussion on the mailing list because there are some ideas about the problem.

Thanks and cheers,

Denis

correct chain:


wrong chain:

Details

Version
2.2.4 on Ubuntu 16.04
destogl created this task.Thu, Sep 5, 2:10 PM
werner triaged this task as High priority.Thu, Sep 5, 3:56 PM
werner added projects: S/MIME, gnupg (gpg22).
werner added a subscriber: werner.

Thanks for the sample certs. I noticed the posts but had not the time to look into them.