> From: owner-openssl-us...@openssl.org On Behalf Of Pingzhong Li
> Sent: Monday, 20 February, 2012 14:55
> To: openssl-users@openssl.org
> Subject: self signed cert verification is failed

> we have a server which has a self signed certificate, however 
> when we tried
> to use openssl to connect to server, the server certification 
> verification
> is always failing. So I used s_client command to try to find 
> out why it is
> failing. <snip>

commandline verify also gives the error, more easily.

> Attached is the ca file which has the self signed cert 
> http://old.nabble.com/file/p33359051/serverCert.pem 
> serverCert.pem .  We
> used self signed cert before and we didn't see any verification issues
> before. I am thinking that it might be that openssl doesn't 
> like this self
> signed cert for some reasons, however after inspection of the 
> cert, I could
> not find anything wrong with self signed cert. Could someone shed some
> lights on this?

OpenSSL implements a self-signed cert as issued by itself 
(which it kind of is) and so won't recognize it if 
KeyUsage is present and does not allow keyCertSign.

(Unless, I see in stepping through check_issued, the 
subject has proxyCertInfo, which I never heard of, 
and appears probably unusable here anyway.)


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to