I forgot to mention that I could successfully verify ca2.crt after step (2)
using
% openssl verify -CAfile ca.crt ca2.crt
clnt1.crt: OK
In addition to the question I had, I am wondering if there is any
workaround. What I need is a 2-level ca hierarchy.
Thanks - Jeff
Jeff Smith wrote:
>
> Hi everyone,
>
> I created a chain of 3 certificates as follows:
>
> (1) a self-signed root ca cert, using
>
> openssl genrsa -des3 -out ca.key
> openssl req -new -key ca.key -out ca.csr
> openssl x509 -req -signkey ca.key -out ca.crt -in ca.csr
>
> (2) a second ca cert, signed by the first ca, using
>
> openssl genrsa -des3 -out ca2.key
> openssl req -new -key ca2.key -out ca2.csr
> openssl ca -cert ca.key -keyfile ca.key -out ca2.crt -infiles ca2.csr
>
> (3) a user cert using
>
> openssl genrsa -des3 -out user.key
> openssl req -new -key user.key -out user.csr
> openssl ca -cert ca2.crt -keyfile ca2.key -out user.crt -infiles user.csr
>
> But when I try to verify user.crt using
>
> openssl verify -CAfile ca.crt -untrusted ca2.crt user.crt
>
> it fails with
>
> error 18 at 0 depth lookup:self signed certificate
> and
> error 7 at 0 depth lookup:certificate signature failure
>
> I have looked through faqs and related pages, could not figure out why.
> Could someone tell me the reasons?
>
> Thank you in advance.
>
> jeff
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
