certificate verification problem

thomas Thu, 30 Oct 2014 14:00:02 -0700

Hi,

trying to build a valid certificate chain, I came across the following 
problem:


I have two certificates. The first one, contained in file root_ca.pem, 
is a self-signed root CA, intended to sign intermediate CA's with. The 
second
one, contained in host_ca.pem, is such an intermediate CA, it is signed 
with root_ca.pem. I would expect the two to form a valid chain. And indeed,
verification succeeds:

[thomas@sarkovy openssl-test]$ openssl verify -CAfile root_ca.pem 
host_ca.pem
host_ca.pem: OK

However, if I add -issuer_checks to the command line, I get errors:

[thomas@sarkovy openssl-test]$ openssl verify -CAfile root_ca.pem 
-issuer_checks host_ca.pem
host_ca.pem: C = DE, ST = Hamburg, L = Hamburg, O = K\C3\B6ller Family, 
OU = Network Administration, CN = K\C3\B6ller Family Host Signing 
Certificate
error 29 at 0 depth lookup:subject issuer mismatch
C = DE, ST = Hamburg, L = Hamburg, O = K\C3\B6ller Family, OU = Network 
Administration, CN = K\C3\B6ller Family Host Signing Certificate
error 29 at 0 depth lookup:subject issuer mismatch
C = DE, ST = Hamburg, L = Hamburg, O = K\C3\B6ller Family, OU = Network 
Administration, CN = K\C3\B6ller Family Host Signing Certificate
error 29 at 0 depth lookup:subject issuer mismatch
OK

Next, I look at the subject and issuer fields of both certificates, and 
find them to be matching:

[thomas@sarkovy openssl-test]$ openssl x509 -in root_ca.pem -noout 
-subject -subject_hash -nameopt oneline,-esc_msb
subject= C = DE, ST = Hamburg, L = Hamburg, O = Köller Family, OU = 
Network Administration, CN = Köller Family Root Signing Certificate
f610372b
[thomas@sarkovy openssl-test]$ openssl x509 -in host_ca.pem -noout 
-issuer -issuer_hash -nameopt oneline,-esc_msb
issuer= C = DE, ST = Hamburg, L = Hamburg, O = Köller Family, OU = 
Network Administration, CN = Köller Family Root Signing Certificate
f610372b

Am I wrong to expect the verify command to succeed without errors in 
this case, even with -issuer_checks? I am attaching the two certificates,
in case someone wants to investigate the problem.

My openssl has been installed from the Fedora 20 package repository:

Name        : openssl
Arch        : x86_64
Epoch       : 1
Version     : 1.0.1e
Release     : 40.fc20



Thomas



-- 
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.

host_ca.pem
Description: application/x509-ca-cert

root_ca.pem
Description: application/x509-ca-cert

certificate verification problem

Reply via email to