On Sat, May 11, 2013 at 10:49:40AM +0200, Stefan H. Holek wrote:
> On 10.05.2013, at 18:48, no_spam...@yahoo.com wrote:
>
> > openssl verify -check_ss_sig -CAfile ./my-ss-cert.pem ./my-ss-cert.pem
> >
> > I get the following error:
> > error 20 at 0 depth lookup:unable to get local issuer certificate
>
> IIRC, this means that the Subject and Issuer names on your
> self-signed cert do not match.
That's one possibility, multiple conditions are checked to determine
whether a certificate is self-issued:
#define ku_reject(x, usage) \
(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
int X509_check_issued(X509 *issuer, X509 *subject)
{
if (X509_NAME_cmp(X509_get_subject_name(issuer),
X509_get_issuer_name(subject)))
return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
x509v3_cache_extensions(issuer);
x509v3_cache_extensions(subject);
if (subject->akid) {
int ret = X509_check_akid(issuer, subject->akid);
if (ret != X509_V_OK)
return ret;
}
if (subject->ex_flags & EXFLAG_PROXY) {
if (ku_reject(issuer, KU_DIGITAL_SIGNATURE))
return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
} else if (ku_reject(issuer, KU_KEY_CERT_SIGN))
return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
return X509_V_OK;
}
one of these is that its keyUsage (if set) must include KU_KEY_CERT_SIGN.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
