Hi all,
I have just created a new CA which has the extension to allow client
authentication. My previous CA worked fine without this extension but
some client application now requires that I set it. So I've created a
new client key pair and signed it with the new CA, but when I use
openssl verify to test it it does not verify.
I get the following error:
$ openssl verify -CAfile CA/cacert.pem client.cert
stdin: CN =
d8ab98a0252208818a29d5548bd833d40e85e4fa14bf146dc04be5139418fae2,
emailAddress = [1]a...@gmail.com, C = aa
error 20 at 0 depth lookup:unable to get local issuer certificate
If I look at the new client certificate's chain I get:
~~$ openssl x509 -issuer -subject -noout -in client.cert
issuer=
/C=aa/ST=gg/L=ppp/O=mod/OU=eng/CN=crypto-admin/emailAddress=root@localh
ost
subject=
/CN=d8ab98a0252208818a29d5548bd833d40e85e4fa14bf146dc04be5139418fae2/em
ailAddress=[2]a...@gmail.com/C=aa
and the CA certificate is selfsigned:
~~$ openssl x509 -issuer -subject -noout -in CA/cacert.pem
issuer=
/C=aa/ST=gg/L=ppp/O=mod/OU=eng/CN=crypto-admin/emailAddress=root@localh
ost
subject=
/C=aa/ST=gg/L=ppp/O=mod/OU=eng/CN=crypto-admin/emailAddress=root@localh
ost
The extensions for the CA are now:
X509v3 extensions:
X509v3 Subject Key Identifier:
ED:51:C6:3B:A3:72:B3:F5:33:80:F0:7C:15:FD:CE:FF:6C:B6:07:6A
X509v3 Authority Key Identifier:
keyid:ED:51:C6:3B:A3:72:B3:F5:33:80:F0:7C:15:FD:CE:FF:6C:B6:07:6A
DirName:/C=aa/ST=gg/L=ppp/O=mod/OU=eng/CN=crypto-admin/emailAddress=roo
t@localhost
serial:A4:48:38:09:CB:16:6A:D0
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
I just cannot understand this verification problem - the client is
directly signed by the root CA!?
Any help appreciated
Thanks
LJB
References
1. mailto:ljbr...@gmail.com
2. mailto:ljbr...@gmail.com
--
http://www.fastmail.fm - A no graphics, no pop-ups email service
