RE: certificate verification problem

Fri, 31 Oct 2014 07:28:19 -0700 

> From: owner-openssl-us...@openssl.org On Behalf Of tho...@koeller.dyndns.org
> Sent: Thursday, October 30, 2014 14:50

> I have... root_ca.pem ... self-signed ... issued host_ca.pem ...
> I would expect the two to form a valid chain. And indeed,
> verification succeeds:

> ... openssl verify -CAfile root_ca.pem host_ca.pem
> host_ca.pem: OK

> However, if I add -issuer_checks to the command line, I get errors:

> openssl verify -CAfile root_ca.pem -issuer_checks host_ca.pem
> host_ca.pem: C = DE, ST = Hamburg, L = Hamburg, O = K\C3\B6ller Family, 
> OU = Network Administration, CN = K\C3\B6ller Family Host Signing Certificate
> error 29 at 0 depth lookup:subject issuer mismatch
> C = DE, ST = Hamburg, L = Hamburg, O = K\C3\B6ller Family, OU = Network 
> Administration, CN = K\C3\B6ller Family Host Signing Certificate
> error 29 at 0 depth lookup:subject issuer mismatch
> C = DE, ST = Hamburg, L = Hamburg, O = K\C3\B6ller Family, OU = Network 
> Administration, CN = K\C3\B6ller Family Host Signing Certificate
> error 29 at 0 depth lookup:subject issuer mismatch
> OK

> Next, I look at the subject and issuer fields of both certificates, and 
> find them to be matching: <snip>
> Am I wrong to expect the verify command to succeed without errors in 
> this case, even with -issuer_checks? I am attaching the two certificates,
> in case someone wants to investigate the problem.

As the manpage says:
Print out diagnostics relating to searches for the issuer certificate of the 
current certificate. 
This shows why each candidate issuer certificate was rejected. The presence of 
rejection messages does not itself imply that anything is wrong; during 
the normal verification process, several rejections may take place.

In particular, although the manpage doesn't say so, X509_verify_cert 
checks several(!) times whether your cert is self-issued, only to find it isn't,
causing the "errors" you see in this case.

The result is "OK"; the "errors" should be ignored.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to