Hi there: A couple of things:
1: Neither of your CA certs have "certSign" as a keyUsage. This is the most likely cause of failure. 2: Your router cert has a Basic constraint of CA=true - while probably not causing you any problems, this is EXTREMELY dangerous. I would suggest you go and make sure that your CA structure is properly configured according to RFC5280, and then repeat your tests. Best Regards, Patrick. On 2010-08-10, at 12:55 PM, ZhangHongdi wrote: > Hi guys, > > I know it is really a frequently asked question but after a long time attempt > I still cannot solve it, so any suggestion will be appreciated > > My Chain Structure is like this: hongdiz-root-ca --> hongdiz-ca1 --> > hongdiz-router-1 > > Upon verifying cert, it always failed between hongdiz-ca1 and hongdiz-router-1 > > From previous mail threads and document, OpenSSL will first use > subject/issuer name to match cert, then Subject Key ID/Authority Key ID. > Seems they are matched in my cert chain. I enclosed all the certs in > attachment. > > 1. Verify hongdiz-root-ca --> hongdiz-ca1 --> hongdiz-router-1 [Failed] > [r...@hongdiz-server-1 hongdiz-router-1]# openssl verify -CAfile > ../hongdiz-root-ca/hongdiz-root-ca_cert.pem -untrusted > ../hongdiz-ca1/hongdiz-ca1_cert.pem hongdiz-router-1_cert.pem > hongdiz-router-1_cert.pem: > /C=CN/ST=Shanghai/O=Cisco/OU=IPCBU/CN=hongdiz-router-1.crdc.cisco.com > error 20 at 0 depth lookup:unable to get local issuer certificate > > 2. Verify hongdiz-root-ca --> hongdiz-ca1 [OK] > [r...@hongdiz-server-1 hongdiz-router-1]# openssl verify -CAfile > ../hongdiz-root-ca/hongdiz-root-ca_cert.pem > ../hongdiz-ca1/hongdiz-ca1_cert.pem > ../hongdiz-ca1/hongdiz-ca1_cert.pem: OK > > 3. Verify hongdiz-ca1 --> hongdiz-router-1 [Failed] > [r...@hongdiz-server-1 hongdiz-router-1]# openssl verify -CAfile > ../hongdiz-ca1/hongdiz-ca1_cert.pem ../hongdiz-router-1/ho > ngdiz-router-1_cert.pem > ../hongdiz-router-1/hongdiz-router-1_cert.pem: > /C=CN/ST=Shanghai/O=Cisco/OU=IPCBU/CN=hongdiz-router-1.crdc.cisco.com > error 20 at 0 depth lookup:unable to get local issuer certificate > > > 4. OpenSSL Server/Client verify Failed (put hongdiz-root-ca cert and > hongdiz-ca1 cert into ca-chain.pem) > [r...@hongdiz-server-1 hongdiz-router-1]# openssl s_server -cert > hongdiz-router-1_cert.pem -key hongdiz-router-1_key.pem -CAfile > ../ca-chain.pem > Using default temp DH parameters > ACCEPT > -----BEGIN SSL SESSION PARAMETERS----- > MHUCAQECAgMBBAIAOQQgIKlqp1dJzX9YCO1IF8XOIrS7COcmwKcb7/AYeTP+1xgE > MO7GI9I3jTWuYTmcPrvBWuIaJWXMYyDDh68MQDXCetdAqDiOcOkRhbuZlKi7gbCG > CaEGAgRMYV4MogQCAgEspAYEBAEAAAA= > -----END SSL SESSION PARAMETERS----- > Shared > ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS > > -AES128-SHA:AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5 > CIPHER is DHE-RSA-AES256-SHA > > [r...@hongdiz-server-1 OpenSSL]# openssl s_client -connect localhost:4433 > -CAfile ca-chain.pem > CONNECTED(00000003) > depth=0 /C=CN/ST=Shanghai/O=Cisco/OU=IPCBU/CN=hongdiz-router-1.crdc.cisco.com > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 /C=CN/ST=Shanghai/O=Cisco/OU=IPCBU/CN=hongdiz-router-1.crdc.cisco.com > verify error:num=27:certificate not trusted > verify return:1 > depth=0 /C=CN/ST=Shanghai/O=Cisco/OU=IPCBU/CN=hongdiz-router-1.crdc.cisco.com > verify error:num=21:unable to verify the first certificate > verify return:1 > --- > Certificate chain > 0 s:/C=CN/ST=Shanghai/O=Cisco/OU=I PCBU/CN=hongdiz-router-1.crdc.cisco.com > i:/C=CN/ST=Shanghai/O=Cisco/OU=IPCBU/CN=hongdiz-ca1.crdc.cisco.com > 1 s:/C=CN/ST=Shanghai/O=Cisco/OU=IPCBU/CN=hongdiz-ca1.crdc.cisco.com > > i:/C=CN/ST=Shanghai/L=A12/O=Cisco/OU=IPCBU/CN=hongdiz-root-ca.crdc.cisco.com > 2 > s:/C=CN/ST=Shanghai/L=A12/O=Cisco/OU=IPCBU/CN=hongdiz-root-ca.crdc.cisco.com > > i:/C=CN/ST=Shanghai/L=A12/O=Cisco/OU=IPCBU/CN=hongdiz-root-ca.crdc.cisco.com > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIC0jCCAjugAwIBAgIBATANBgkqhkiG9w0BAQUFADBlMQswCQYDVQQGEwJDTjER > MA8GA1UECBMIU2hhbmdoYWkxDjAMBgNVBAoTBUNpc2NvMQ4wDAYDVQQLEwVJUENC > VTEjMCEGA1UEAxMaaG9uZ2Rpei1jYTEuY3JkYy5jaXNjby5jb20wHhcNMTAwODEw > MTQwMDQ3WhcNMjAwODA3MTQwMDQ3WjBqMQswCQYDVQQGEwJDTjERMA8GA1UECBMI > U2hhbmdoYWkxDjAMBgNVBAoTBUNpc2NvMQ4wDAYDVQQLEwVJUENCVTEoMCYGA1UE > AxMfaG9uZ2Rpei1yb3V0ZXItMS5jcmRjLmNpc2NvLmNvbTCBnzANBgkqhkiG9w0B > AQEFAAOBjQAwgYkCgYEAylT5XpGWrEhDWfUnVpL2PI6 rVg8dCsLXBn8V1OQCyC// > bxhQZqROmLbh/STsger7G5PvX5kaM1XviAuoM6iJMpqx/xqE+atbndYBaMYtLQmF > wYj/GFOq+CBX970/pj6YqOhjgDEY1EDjj1dVYKn8oSAlkZtXUlXNAtQiiQBUsJEC > AwEAAaOBjDCBiTAMBgNVHRMEBTADAQH/MCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM > IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUJrg2qojNXvIL5wYCvijF > 1YPoKfQwHwYDVR0jBBgwFoAU2DFYT7Juy0nk9rjbzniXGJJhMUswCwYDVR0PBAQD > AgXgMA0GCSqGSIb3DQEBBQUAA4GBADQWQ8qbuFDkobScXAESLz7FeNLQ3jYOQagx > l7aij6hVzJrFvub6/9Olg7DXZWjxPNIXnRKirBu1zYJwS+2lULWAfHAgVPhVmT+p > kEDofpUJ1T3/tq08w6+ZdNdaL2MoBuxE2GVb97Kz5oXjWjmbUI0cu9zXA5vvgK2G > WEg4q4Nd > -----END CERTIFICATE----- > subject=/C=CN/ST=Shanghai/O=Cisco/OU=IPCBU/CN=hongdiz-router-1.crdc.cisco.com > issuer=/C=CN/ST=Shanghai/O=Cisco/OU=IPCBU/CN=hongdiz-ca1.crdc.cisco.com > --- > No client certificate CA names sent > --- > SSL handshake has read 2752 bytes and written 279 bytes > --- > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > Server public key is 1024 bit > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher : DHE-RSA-AES256-SHA > Session-ID: > 20A96AA75749CD7F5808ED4817C5CE22B4BB08E726C0A71BEFF0187933FED718 > Session-ID-ctx: > Master-Key: > EEC623D2378D35AE61399C3EBBC15AE21A2565CC6320C387AF0C4035C27AD740A8388E70E91185BB9994A8BB81B08609 > Key-Arg : None > Krb5 Principal: None > Start Time: 1281449484 > Timeout : 300 (sec) > Verify return code: 21 (unable to verify the first certificate) > --- > > > > > > > <CA1.pem><rootCA.pem><router-1.pem>
