Jeff Smith wrote:
>
> ... and using -verbose option, the step (3) verify would produce:
>
> % openssl verify -verbose -CAfile ca.crt -untrusted ca2.crt user.crt
>
> error 18 at 0 depth lookup:self signed certificate
> error 7 at 0 depth lookup:certificate signature failure
> 21970:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type
> is not 01:rsa_pk1.c:100:
> 21970:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check
> failed:rsa_eay.c:396:
> 21970:error:0D079006:asn1 encoding routines:ASN1_verify:bad get asn1 object
> call:a_verify.c:109:
>
Probably a typo somewhere which resulted in a certificate being signed
by the wrong key, usually though this produces an error.
The two CA certificates shouldn't have the same name: it will confuse
some software.
Also when you sign the CSR for the intermediate CA you need to include
the -extensions v3_ca command line option.
If that doesn't help then post the three certificates.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]