Hello there, > I have a server certificate signed by a local CA company and the root > certificate that signed it expires very soon. The CA company gave us a > new root certificate but with the new root certificate OpenSSL is no > longer able to successfully verify the server certificate. > > The working chain is: trust.pem --- a-sign.pem --- server.pem > > The no longer working chain is: trust_new.pem --- a-sign.pem --- server.pem
> It looks like OpenSSL does not recognize trust_new.pem as the signer of > a-sign.pem but the question is why? Trust_new.pem looks - at least for > me - pretty like trust.pem except the changed validity dates and the > signature. You can not just replace the trust.pem with trust_new.pem as the new root ca cert (trust_new.pem) did not sign the sub ca cert (a-sign.pem) and so the chain is broken. They need to give you a new ca cert and server cert. Chris... ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
