i think it's because your "my-cacert.pem" is not considered a CA: it has
"CA:FALSE"
arch [temp]$ openssl x509 -in my-cacert.pem
-----BEGIN CERTIFICATE-----
MIIC9jCCAl+gAwIBAgIBADANBgkqhkiG9w0BAQUFADB4MQswCQYDVQQGEwJDQTET
MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
dHkgTHRkMRAwDgYDVQQDEwdteS1yb290MR8wHQYJKoZIhvcNAQkBFhByb290QHdp
ZGdpdHMuY29tMB4XDTA5MDIwNDAxNTA1MloXDTEyMDIwNDAxNTA1MloweDELMAkG
A1UEBhMCQ0ExEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0
IFdpZGdpdHMgUHR5IEx0ZDEQMA4GA1UEAxMHbXktcm9vdDEfMB0GCSqGSIb3DQEJ
ARYQcm9vdEB3aWRnaXRzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
sFZr5Htj5VUc69iYiFaRGGCQvsgrCw6kJFo9DZVRkMvmDYwpZ8vVg6H/l1xL+mWA
Ur2T/z32JvLKPEH7DyXzQehdVFjVxS2zmfdIOI8P7CMH3pOuhiko8vPc+xhS5a4q
6Khvryx0n88RB1xj58WKtW9Op9FsG0ASE33Kh4oRhtMCAwEAAaOBjzCBjDAJBgNV
HRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIEsDAsBglghkgBhvhCAQ0EHxYdT3BlblNT
TCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFDKh9W+fw4bPij+S9LXC
m/RIl2xEMB8GA1UdIwQYMBaAFDKh9W+fw4bPij+S9LXCm/RIl2xEMA0GCSqGSIb3
DQEBBQUAA4GBAKt7JnTmCzTQTw+bKtgkpR50Dw2wpQwL2pjYtVfRXX4eBcvgvLtY
BAktaD03TN1ZKurZX6dWY0n9GP2nwUIQfkkQdXVlkOE//EiObPj6A0knzn2Rc/Cl
nVgkYYWsQ122359RC8/1N+piN0XZrxM9JIfl9wcij71HZAeueddl3olF
-----END CERTIFICATE-----
arch [temp]$
arch [temp]$ openssl x509 -in my-cacert.pem -text | grep -A1 Constra
X509v3 Basic Constraints:
CA:FALSE
arch [temp]$
the openssl verify command succeeds, but i think it's because it's more lenient
(http://openssl.org/docs/apps/verify.html#)
_________________________________________________________________
Windows Liveā¢: E-mail. Chat. Share. Get more ways to connect.
http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t2_allup_howitworks_022009______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
