Hello, Recently our requirements have changed from using an in-house experimental CA to using a single self-signed certificate. I have used the command:
openssl req -config config.cnf -x509 -newkey rsa -out servercert.pem -outform PEM -keyout serverkey.pem -nodes to generate said certificate. My config file contains: [ req ] default_bits = 1024 default_md = md5 x509_extensions = root_ca_extensions [ root_ca_extensions ] basicConstraints = CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always keyUsage = nonRepudiation, digitalSignature, keyEncipherment When I attempt to test this using openssl s_server and s_client, I note the following: % openssl s_client -showcerts -CAfile servercert.pem CONNECTED(00000003) depth=0 /C=US/ST=Alabama/L=Huntsville/O=Mutable Realms Incorporated/... verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=Alabama/L=Huntsville/O=Mutable Realms Incorporated/... verify error:num=21:unable to verify the first certificate verify return:1 Of course, s_client connects and is fine, but that is because it is ignoring this error - my application is not. Can someone please point out what I'm doing wrong here? Shouldn't providing the server's self-signed certificate in the CAfile suffice for establishing trust? -Anthony ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
