On Thursday 07 February 2013 07:31:55 you wrote:
> On Wed, February 6, 2013 23:47, Thomas Koeller wrote:
> > bash-4.0$ openssl verify -x509_strict -CAfile cacert/root_ca.pem -purpose
> > sslserver cacert/host_ca.pem
> > cacert/host_ca.pem: C = DE, ST = Hamburg, O = K\C3\B6ller Family, OU =
> > K\C3\B6ller Family Certification Authority, CN = K\C3\B6ller Family
> > Host Signing Certificate
> > error 26 at 0 depth lookup:unsupported certificate purpose
> > OK
> >
> > Can anybody tell why I am getting this error, and what I should do about
> > it?
>
> I think this is correct, you tested your CA intermediate certificate ...
>
I did that on purpose, because adding the actual server certificate to the
chain does not change the outcome, and I wanted to strip down
the test case as much as possible.
> because of this:
> > SSL server : No
> > SSL server CA : Yes
That should be correct, it's not a host certificate after all.
>
> I get the same with my CA
>
> by the way, your CA certificates have a very long validity, which key
> length did you use?
4086 bits
>
> openssl verify -x509_strict -CAfile concatCA.pem -purpose sslserver ssl.pem
>
> concatCA.pem is just this
> ( cat cacert/root_ca.pem; cat cacert/host_ca.pem ) > concatCA.pem
> ssl.pem is signed with the intermediate cert cacert/host_ca.pem and is
> used for your Webserver ...
> will give you just ok.
No, that does not work either. Here is a host certificate:
bash-4.0$ openssl x509 -noout -text -nameopt oneline,-esc_msb,utf8 -certopt
no_pubkey,no_sigdump -purpose -in host_certs/handy-thomas.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6 (0x6)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = DE, ST = Hamburg, O = Köller Family, OU = Köller Family
Certification Authority, CN = Köller Family Host Signing
Certificate
Validity
Not Before: Feb 7 20:34:35 2013 GMT
Not After : Jun 5 23:59:59 2059 GMT
Subject: C = DE, ST = Hamburg, O = Köller Family, OU = Network
Administration, CN = handy-thomas
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Certificate purposes:
SSL client : No
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No
I concatenated the intermediate signing certificate with this one to form the
server certificate, and performed verifcation of the
resulting chain. Here's the result:
bash-4.0$ cat cacert/host_ca.pem host_certs/handy-thomas.pem >/tmp/test.pem
bash-4.0$ openssl verify -x509_strict -CAfile cacert/root_ca.pem -purpose
sslserver /tmp/test.pem
/tmp/test.pem: C = DE, ST = Hamburg, O = K\C3\B6ller Family, OU = K\C3\B6ller
Family Certification Authority, CN = K\C3\B6ller Family Host
Signing Certificate
error 26 at 0 depth lookup:unsupported certificate purpose
OK
>
> Walter
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [email protected]
> Automated List Manager [email protected]
thanks,
Thomas
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]