So I've got my ssl client working pretty well. It does great with most websites, but some of them it doesn't verify the certificate chain for, returning the above error. The CA root cert in question is in the certificate store, and the server isn't actually sending the root so I'm pretty sure that openssl has even found it in the store and is trying to verify it. I've pasted the details below of a certificate that is working (Equifax) and one that isn't (Verisign). The only clue that I have is that the Verisign cert doesn't have any extensions on it. Maybe by default the openssl library is requiring the cert to be configured to be able to sign other certs? If this is true, what can I do? Any guidance or ideas appreciated. I'm not sure what to do next.
Websites using this root cert do not verify: Certificate: Data: Version: 1 (0x0) Serial Number: 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority Validity Not Before: Jan 29 00:00:00 1996 GMT Not After : Aug 2 23:59:59 2028 GMT Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:c9:5c:59:9e:f2:1b:8a:01:14:b4:10:df:04:40: db:e3:57:af:6a:45:40:8f:84:0c:0b:d1:33:d9:d9: 11:cf:ee:02:58:1f:25:f7:2a:a8:44:05:aa:ec:03: 1f:78:7f:9e:93:b9:9a:00:aa:23:7d:d6:ac:85:a2: 63:45:c7:72:27:cc:f4:4c:c6:75:71:d2:39:ef:4f: 42:f0:75:df:0a:90:c6:8e:20:6f:98:0f:f8:ac:23: 5f:70:29:36:a4:c9:86:e7:b1:9a:20:cb:53:a5:85: e7:3d:be:7d:9a:fe:24:45:33:dc:76:15:ed:0f:a2: 71:64:4c:65:2e:81:68:45:a7 Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 10:72:52:a9:05:14:19:32:08:41:f0:c5:6b:0a:cc:7e:0f:21: 19:cd:e4:67:dc:5f:a9:1b:e6:ca:e8:73:9d:22:d8:98:6e:73: 03:61:91:c5:7c:b0:45:40:6e:44:9d:8d:b0:b1:96:74:61:2d: 0d:a9:45:d2:a4:92:2a:d6:9a:75:97:6e:3f:53:fd:45:99:60: 1d:a8:2b:4c:f9:5e:a7:09:d8:75:30:d7:d2:65:60:3d:67:d6: 48:55:75:69:3f:91:f5:48:0b:47:69:22:69:82:96:be:c9:c8: 38:86:4a:7a:2c:73:19:48:69:4e:6b:7c:65:bf:0f:fc:70:ce: 88:90 Websites using this root cert do verify: Certificate: Data: Version: 3 (0x2) Serial Number: 903804111 (0x35def4cf) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority Validity Not Before: Aug 22 16:41:51 1998 GMT Not After : Aug 22 16:41:51 2018 GMT Subject: C=US, O=Equifax, OU=Equifax Secure Certificate Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:c1:5d:b1:58:67:08:62:ee:a0:9a:2d:1f:08:6d: 91:14:68:98:0a:1e:fe:da:04:6f:13:84:62:21:c3: d1:7c:ce:9f:05:e0:b8:01:f0:4e:34:ec:e2:8a:95: 04:64:ac:f1:6b:53:5f:05:b3:cb:67:80:bf:42:02: 8e:fe:dd:01:09:ec:e1:00:14:4f:fc:fb:f0:0c:dd: 43:ba:5b:2b:e1:1f:80:70:99:15:57:93:16:f1:0f: 97:6a:b7:c2:68:23:1c:cc:4d:59:30:ac:51:1e:3b: af:2b:d6:ee:63:45:7b:c5:d9:5f:50:d2:e3:50:0f: 3a:88:e7:bf:14:fd:e0:c7:b9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: Full Name: DirName: C = US, O = Equifax, OU = Equifax Secure Certificate Authority, CN = CRL1 X509v3 Private Key Usage Period: Not After: Aug 22 16:41:51 2018 GMT X509v3 Key Usage: Certificate Sign, CRL Sign X509v3 Authority Key Identifier: keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4 X509v3 Subject Key Identifier: 48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4 X509v3 Basic Constraints: CA:TRUE 1.2.840.113533.7.65.0: 0...V3.0c.... Signature Algorithm: sha1WithRSAEncryption 58:ce:29:ea:fc:f7:de:b5:ce:02:b9:17:b5:85:d1:b9:e3:e0: 95:cc:25:31:0d:00:a6:92:6e:7f:b6:92:63:9e:50:95:d1:9a: 6f:e4:11:de:63:85:6e:98:ee:a8:ff:5a:c8:d3:55:b2:66:71: 57:de:c0:21:eb:3d:2a:a7:23:49:01:04:86:42:7b:fc:ee:7f: a2:16:52:b5:67:67:d3:40:db:3b:26:58:b2:28:77:3d:ae:14: 77:61:d6:fa:2a:66:27:a0:0d:fa:a7:73:5c:ea:70:f1:94:21: 65:44:5f:fa:fc:ef:29:68:a9:a2:87:79:ef:79:ef:4f:ac:07: 77:38 -- *David Hinkle* *Senior Software Developer* *Phone:* 800.243.3729x3000 *Email:* hin...@cipafilter.com *Hours:* Mon-Fri 8:00AM-5:00PM (CT)