On Thursday 07 February 2013 07:31:55 you wrote: > On Wed, February 6, 2013 23:47, Thomas Koeller wrote: > > bash-4.0$ openssl verify -x509_strict -CAfile cacert/root_ca.pem -purpose > > sslserver cacert/host_ca.pem > > cacert/host_ca.pem: C = DE, ST = Hamburg, O = K\C3\B6ller Family, OU = > > K\C3\B6ller Family Certification Authority, CN = K\C3\B6ller Family > > Host Signing Certificate > > error 26 at 0 depth lookup:unsupported certificate purpose > > OK > > > > Can anybody tell why I am getting this error, and what I should do about > > it? > > I think this is correct, you tested your CA intermediate certificate ... > I did that on purpose, because adding the actual server certificate to the chain does not change the outcome, and I wanted to strip down the test case as much as possible.
> because of this: > > SSL server : No > > SSL server CA : Yes That should be correct, it's not a host certificate after all. > > I get the same with my CA > > by the way, your CA certificates have a very long validity, which key > length did you use? 4086 bits > > openssl verify -x509_strict -CAfile concatCA.pem -purpose sslserver ssl.pem > > concatCA.pem is just this > ( cat cacert/root_ca.pem; cat cacert/host_ca.pem ) > concatCA.pem > ssl.pem is signed with the intermediate cert cacert/host_ca.pem and is > used for your Webserver ... > will give you just ok. No, that does not work either. Here is a host certificate: bash-4.0$ openssl x509 -noout -text -nameopt oneline,-esc_msb,utf8 -certopt no_pubkey,no_sigdump -purpose -in host_certs/handy-thomas.pem Certificate: Data: Version: 3 (0x2) Serial Number: 6 (0x6) Signature Algorithm: sha1WithRSAEncryption Issuer: C = DE, ST = Hamburg, O = Köller Family, OU = Köller Family Certification Authority, CN = Köller Family Host Signing Certificate Validity Not Before: Feb 7 20:34:35 2013 GMT Not After : Jun 5 23:59:59 2059 GMT Subject: C = DE, ST = Hamburg, O = Köller Family, OU = Network Administration, CN = handy-thomas X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication Certificate purposes: SSL client : No SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No S/MIME signing : No S/MIME signing CA : No S/MIME encryption : No S/MIME encryption CA : No CRL signing : No CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No Time Stamp signing : No Time Stamp signing CA : No I concatenated the intermediate signing certificate with this one to form the server certificate, and performed verifcation of the resulting chain. Here's the result: bash-4.0$ cat cacert/host_ca.pem host_certs/handy-thomas.pem >/tmp/test.pem bash-4.0$ openssl verify -x509_strict -CAfile cacert/root_ca.pem -purpose sslserver /tmp/test.pem /tmp/test.pem: C = DE, ST = Hamburg, O = K\C3\B6ller Family, OU = K\C3\B6ller Family Certification Authority, CN = K\C3\B6ller Family Host Signing Certificate error 26 at 0 depth lookup:unsupported certificate purpose OK > > Walter > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org thanks, Thomas ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org