On Thursday 07 February 2013 07:31:55 you wrote:
> On Wed, February 6, 2013 23:47, Thomas Koeller wrote:
> > bash-4.0$ openssl verify -x509_strict -CAfile cacert/root_ca.pem -purpose
> > sslserver cacert/host_ca.pem
> > cacert/host_ca.pem: C = DE, ST = Hamburg, O = K\C3\B6ller Family, OU =
> > K\C3\B6ller Family Certification Authority, CN = K\C3\B6ller Family
> > Host Signing Certificate
> > error 26 at 0 depth lookup:unsupported certificate purpose
> > OK
> > 
> > Can anybody tell why I am getting this error, and what I should do about
> > it?
> 
> I think this is correct, you tested your CA intermediate certificate ...
> 
I did that on purpose, because adding the actual server certificate to the 
chain does not change the outcome, and I wanted to strip down 
the test case as much as possible.

> because of this:
> > SSL server : No
> > SSL server CA : Yes
That should be correct, it's not a host certificate after all.

> 
> I get the same with my CA
> 
> by the way, your CA certificates have a very long validity, which key
> length did you use?
4086 bits

> 
> openssl verify -x509_strict -CAfile concatCA.pem -purpose sslserver ssl.pem
> 
> concatCA.pem is just this
> ( cat cacert/root_ca.pem; cat cacert/host_ca.pem ) > concatCA.pem
> ssl.pem is signed with the intermediate cert cacert/host_ca.pem and is
> used for your Webserver ...
> will give you just ok.
No, that does not work either. Here is a host certificate:

bash-4.0$ openssl x509 -noout -text -nameopt oneline,-esc_msb,utf8 -certopt 
no_pubkey,no_sigdump -purpose -in host_certs/handy-thomas.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 6 (0x6)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = DE, ST = Hamburg, O = Köller Family, OU = Köller Family 
Certification Authority, CN = Köller Family Host Signing 
Certificate
        Validity
            Not Before: Feb  7 20:34:35 2013 GMT
            Not After : Jun  5 23:59:59 2059 GMT
        Subject: C = DE, ST = Hamburg, O = Köller Family, OU = Network 
Administration, CN = handy-thomas
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: 
                Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
Certificate purposes:
SSL client : No
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No

I concatenated the intermediate signing certificate with this one to form the 
server certificate, and performed verifcation of the 
resulting chain. Here's the result:

bash-4.0$ cat cacert/host_ca.pem host_certs/handy-thomas.pem >/tmp/test.pem
bash-4.0$ openssl verify -x509_strict -CAfile cacert/root_ca.pem -purpose 
sslserver /tmp/test.pem
/tmp/test.pem: C = DE, ST = Hamburg, O = K\C3\B6ller Family, OU = K\C3\B6ller 
Family Certification Authority, CN = K\C3\B6ller Family Host 
Signing Certificate
error 26 at 0 depth lookup:unsupported certificate purpose
OK


> 
> Walter
> 
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           majord...@openssl.org

thanks,
Thomas

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to