> From: owner-openssl-us...@openssl.org On Behalf Of Jakob Bohm > Sent: Thursday, 31 May, 2012 13:14
> On 5/31/2012 4:01 PM, Jack Trades wrote: > > <snip> client is rejecting the server certificate with the > following error: > > > > -Error with certificate at depth: 1 > > issuer = /C=US/ST=VA/L=Fairfax/O=Zork.org/CN=Root CA > > subject = /C=US/ST=VA/L=Fairfax/O=Zork.org/OU=Server > > Division/CN=Server CA > > err 24:invalid CA certificate > > ** Main.c:70 Error connecting SSL object > > 3080:error:14090086:SSL > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > > failed:.\ssl\s3_clnt.c:1166: > > > Question 1: What list of trusted CAs did you pass to the SSL > code, and > was your Zork root CA on that list? Verify error 24 isn't "missing from truststore", it's "cert used as CA/issuer doesn't look like CA". For example KU isn't certSign or BC.CA is false. > > I created the following certificates: > > > > Create the root CA > > >openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem > -out rootreq.pem > > >openssl x509 -req -in rootreq.pem -sha1 -extensions v3_ca -signkey > > rootkey.pem -out rootcert.pem > > >type rootcert.pem rootkey.pem > root.pem > > >openssl x509 -subject -issuer -noout -in root.pem > > > > subject= /C=US/ST=VA/L=Fairfax/O=Zork.org/CN=Root CA > > issuer= /C=US/ST=VA/L=Fairfax/O=Zork.org/CN=Root CA > > > Question 2: What are the other fields in rootcert.pem, as displayed by > > openssl x509 -in rootcert.pem -noout -purpose -text > > One of the other fields may by wrong (such as not being > marked as a CA, > being marked to expire yesterday etc.). > And serverCA.pem, since the error is reported at depth 1. So, in both cases, the question is what is in section v3_ca of the config file he used? Especially, is the same one correct for both root and level-1 CAs -- i.e. pathLength? > > > Create the server CA and sign it with the root CA > > >openssl req -newkey rsa:1024 -sha1 -keyout serverCAkey.pem -out > > serverCAreq.pem > > >openssl x509 -req -in serverCAreq.pem -sha1 -extensions v3_ca -CA > > root.pem -CAkey root.pem -CAcreateserial -out serverCAcert.pem > > >type serverCAcert.pem serverCAkey.pem rootcert.pem > serverCA.pem > > >openssl x509 -subject -issuer -noout -in serverCA.pem > > > > subject= /C=US/ST=VA/L=Fairfax/O=Zork.org/OU=Server > Division/CN=Server CA > > issuer= /C=US/ST=VA/L=Fairfax/O=Zork.org/CN=Root CA > > > > Create the server's certificate and sign it with the server CA <snip similar but -extensions usr_cert, under serverCA> > > Create the client certificate and sign it with the root CA <snip ditto, under root(!)> > > Create the dh512.pem dh1024.pem > > >openssl dhparam -check -text -5 512 -out dh512.pem > > >openssl dhparam -check -text -5 1024 -out dh1024.pem > > Aside: don't use 512-bit DH, that's now breakable. Unless you're required to use the old export suites, and then preferably in a callback *only* when export. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
