Hello Jim,
Jim Adams wrote:
I am experiencing a problem with self-signed server certificates generated by z/OS's pskkyman program in my openssl-enabled telnet client. Usually, a self- signed certificate will generate an error of "self-signed certificate" in my certificate verify callback routine. If I add the certificate to openssl's root store, further verifys are OK. The z/OS certificates, which are self-signed, generate 2 errors: "unable to get local issuer certificate" and "unable to verify the first certificate". I have previously only seen these errors on CA-signed certs. Can anybody tell me how a self-signed cert can generate these errors instead of the "self-signed certificate" error? I have attached the certificate in question. Any help would be appreciated.
My guess is:
Since the Key usage states that ths certificate may not be used to sign certificates: [...] X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment [...]
OpenSSL will not accept it as a CA certificate...
Bye
Goetz
-- Goetz Babin-Ebell, software designer, TC TrustCenter AG, Sonninstr. 24-28, 20097 Hamburg, Germany Office: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126 www.trustcenter.de www.betrusted.com
smime.p7s
Description: S/MIME Cryptographic Signature