Read the manpage for verify(1ssl) for information on how to get openssl's commandline tools to recognize a root certificate as 'trusted'.
The same type of thing must be done in your client. The root certificate must be added to the list of CAs that are trusted. I'm not quite sure the precise API to use to do so. Also: I would recommend you look at the CA.sh shell script to handle things as a minimal Certifying Authority. It automates the entire procedure. -Kyle H On Fri, Jun 13, 2008 at 3:05 AM, lakshmi prasanna <[EMAIL PROTECTED]> wrote: > Hi, > > Thanks for the reply. > > I have setup CA, and generated cacert.pem and cakey.pem files. I > signed the rootrequest with cacert.pem and generated rootcert.pem. > even then the same error is observed saying "Self signed certificate". > Actually I am setting up a local CA in this case. > > Can we sign the root certificate by the CA or should we sign the root > certificate request and then generate the root certificate from the > request? > > Actually, I am following the steps in the book Orielly's Network > security with Openssl to generate the certificates. > Can u please send me the exact steps to create a CA and generate CA > signed certificates? > > thanks, > Lakshmi Prasanna > > > On Fri, Jun 13, 2008 at 2:33 PM, [EMAIL PROTECTED] > <[EMAIL PROTECTED]> wrote: >>Hi, >> >> The below error is obtained when no CA is setup in the machine, ie., >> cacert.pem and cakey.pem file are not present and the root certificate is >> not signed by the CA. >> >> "lakshmi prasanna" wrote: >>> >>> >>> The root certificate is signed by the root key generated while creating the >>> certificate using command: >>> * openssl x509 -req -in rootreq.pem -sha1 -extensions v3_ca >>> -signkey rootkey.pem -out rootcert.pem* >>> >>> -Error with certificate at depth: 2 >>> issuer = /C=IN/ST=AP/L=HYD/O=Intoto Software (I) Pvt. Ltd/OU=Root/CN=Root >>> Intoto/[EMAIL PROTECTED] >>> subject = /C=IN/ST=AP/L=HYD/O=Intoto Software (I) Pvt. Ltd/OU=Root/CN=Root >>> Intoto/[EMAIL PROTECTED] >>> err 19:self signed certificate in certificate chain >>> SSL_connect failed >>> ** client.c:80 Error connecting SSL object >>> 16384:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate >>> verify failed:s3_clnt.c:843: >>> >>> Any help regarding this... >>> -- >>> thanks, >>> Lakshmi Prasanna >> > > > > -- > thanks, > Lakshmi Prasanna > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
