Thanks. it works. Jeff
Dr S N Henson wrote:
>
>Jeff Smith wrote:
> >
> > ... and using -verbose option, the step (3) verify would produce:
> >
> > % openssl verify -verbose -CAfile ca.crt -untrusted ca2.crt user.crt
> >
> > error 18 at 0 depth lookup:self signed certificate
> > error 7 at 0 depth lookup:certificate signature failure
> > 21970:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block
>type
> > is not 01:rsa_pk1.c:100:
> > 21970:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check
> > failed:rsa_eay.c:396:
> > 21970:error:0D079006:asn1 encoding routines:ASN1_verify:bad get asn1
>object
> > call:a_verify.c:109:
> >
>
>Probably a typo somewhere which resulted in a certificate being signed
>by the wrong key, usually though this produces an error.
>
>The two CA certificates shouldn't have the same name: it will confuse
>some software.
>
>Also when you sign the CSR for the intermediate CA you need to include
>the -extensions v3_ca command line option.
>
>If that doesn't help then post the three certificates.
>
>Steve.
>--
>Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
>Personal Email: [EMAIL PROTECTED]
>Senior crypto engineer, Celo Communications: http://www.celocom.com/
>Core developer of the OpenSSL project: http://www.openssl.org/
>Business Email: [EMAIL PROTECTED] PGP key: via homepage.
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
