Use the command 'openssl x509 -in serverCA.pem -text -noout' to check if your
certificate is generated ok.When you are goting to use the intermediate CA ,
you must use X509 v3 extension.
Check if you have this content:
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
At 2011-05-27 06:53:04,"Mary Zhang" <[email protected]> wrote:
Hi,
I am using OpenSSL for a SSL server and "openssl s_client" to test it with
client auth required.
Self-sigend root cert is used for creating client certs, and the self-signed
root cert is added to SSL server's trusted ca file.
It works fine when client cert has no chain, but if the client cert is created
by an intermediate ca which is signed by previous root ca, the SSL server
failed with unknown ca.
From the debug trace, looks like s_client sent the whole chain (the client cert
file contains the private key and the whole chain in PEM format).
I've thought that OpenSSL will automatically build the chain based on what sent
from client, and since the root ca is trusted, and it should work.
Am I wrong? Do I need get the client's cert chain and set to the SSL CTX for
validation?
BTW, here are the functions used:
SSL_CTX_new(SSLv23_method());
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_BOTH);
SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
SSL_CTX_set_cipher_list(ctx, CIPHER_LIST)
SSL_CTX_use_certificate_chain_file(ctx, cert_fname)
SSL_CTX_use_PrivateKey_file(ctx, cert_fname, SSL_FILETYPE_PEM)
STACK_OF(X509_NAME) *ca_certs = SSL_load_client_CA_file((char*)ca_fname);
SSL_CTX_set_client_CA_list(ctx, ca_certs);
SSL_CTX_load_verify_locations(ctx, (char*)ca_fname, ca_path_ptr)
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
SSL_CTX_set_verify_depth(ctx,_verify_depth);
Thank you very much!
Mary
