Hi,
i have the same problem described as in this post on the mailing list. Unfortunately, the deleting of the expired root certificate is only a short-time solution in my setup. This is because by reading old emails, my email client pulls the old root certificate so it could check the expired signatures from an email from a few years ago.
PROBLEM DESCRIPTION
My certificate gets pulled into the expired chain if the expired certificate exits.
The correct chain is as follows (please see the attachments for more details on the chain):
- Denis Stogl (me) signed by KIT-CA
- KIT-CA signed by DFN-Verein Certification Authority 2
- DFN-Verein Certification Authority 2 signed by T-TeleSec GlobalRoot Class 2
- T-TeleSec GlobalRoot Class 2 signed by T-TeleSec GlobalRoot Class 2 (root)
The wrong chain:
- Denis Stogl (me) signed by KIT-CA
- KIT-CA signed by DFN-Verein Certification Authority 2
- DFN-Verein Certification Authority 2 signed by T-TeleSec GlobalRoot Class 2
- T-TeleSec GlobalRoot Class 2 signed by Deutsche Telekom Root CA 2 (expired)
- Deutsche Telekom Root CA 2 signed by Deutsche Telekom Root CA 2 (expired)
The concrete problem is that at step 3 to 4, gpgsm is using expired "T-TeleSec GlobalRoot Class 2" in the chain instead of the current one. If I delete expired certificates "T-TeleSec GlobalRoot Class 2" or "DFN-Verein Certification Authority 2" and import my private key again, the chain gets correct, and the current "T-TeleSec GlobalRoot Class 2" is used in the chain.
Do you have any idea what is happening here? Please look at the discussion on the mailing list because there are some ideas about the problem.
Thanks and cheers,
Denis
See P9 for samples (user account required)