Re: verify keeps failing

[Warrick FitzGerald]

Dr. Stephen Henson wrote: On Wed, Nov 09, 2005, Warrick FitzGerald wrote: Hi All, I generated a CA cert and then created a certificate (using CA.pl in ./misc), however the verify does not seem to detect a valid CA. openssl verify -CAfile ./demoCA/cacert.pem -purpose sslserver newreq.pem produces "error 18 at 0 depth lookup:self signed certificate" Which according to the man pages says: ------------ 18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate the passed certificate is self signed and the same certificate cannot be found in the list of trusted certificates. --------- What am I doing wrong here? Is that a typo above and you are actually using "newcert.pem" and not "newreq.pem". Also are you entering *exactly* the same field values for the root CA and the server certificate? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] Here's the exact process I'm following (see details below): 1. Create CA 2. Create Cert 3. Try to verify For some odd reason CA.pl writes the Key and Cert to newreq.pem, so no the above was not a type ... am I misunderstanding something here? Thanks Warrick ========================= [EMAIL PROTECTED] misc]# ./CA.pl -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key ............................................++++++ ...................++++++ writing new private key to './demoCA/private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [New York]: Locality Name (eg, city) [Purchase]: Organization Name (eg, company) [LiveTechnology Holdings Inc.]: Organizational Unit Name (eg, section) [Network Operations]: Common Name (eg, YOUR name) []:LiveTechnology CA Email Address [[EMAIL PROTECTED]]: ============================== [EMAIL PROTECTED] misc]# ./CA.pl -newcert Generating a 1024 bit RSA private key ..........++++++ .....................................++++++ writing new private key to 'newreq.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [New York]: Locality Name (eg, city) [Purchase]: Organization Name (eg, company) [LiveTechnology Holdings Inc.]: Organizational Unit Name (eg, section) [Network Operations]: Common Name (eg, YOUR name) []:tls.livetechnology.com Email Address [[EMAIL PROTECTED]]: Certificate (and private key) is in newreq.pem ============================= [EMAIL PROTECTED] misc]# openssl verify -CAfile ./demoCA/cacert.pem -purpose sslserver newreq.pem newreq.pem: /C=US/ST=New York/L=Purchase/O=LiveTechnology Holdings Inc./OU=Network Operations/CN=tls.livetechnology.com/[EMAIL PROTECTED] error 18 at 0 depth lookup:self signed certificate OK