Try these:
- split the certificates from your CA/cecert.pem into individual files
with correct hashes
- run "strace -eopen openssl verify -CApath <yourcacertsdirectory>
client.cert"
--
Erwann ABALEA
Le 04/06/2013 09:02, Leon Brits a écrit :
Hi all,
I have just created a new CA which has the extension to allow client
authentication. My previous CA worked fine without this extension but
some client application now requires that I set it. So I've created a
new client key pair and signed it with the new CA, but when I use
openssl verify to test them, they do not verify.
I get the following error:
$ openssl verify -CAfile CA/cacert.pem client.cert
stdin: CN =
d8ab98a0252208818a29d5548bd833d40e85e4fa14bf146dc04be5139418fae2,
emailAddress = a...@gmail.com <mailto:ljbr...@gmail.com>, C = aa
error 20 at 0 depth lookup:unable to get local issuer certificate
If I look at the new client certificate's chain I get:
~$ openssl x509 -issuer -subject -noout -in client.cert
issuer=
/C=aa/ST=gg/L=ppp/O=mod/OU=eng/CN=crypto-admin/emailAddress=root@localhost
subject=
/CN=d8ab98a0252208818a29d5548bd833d40e85e4fa14bf146dc04be5139418fae2/emailAddress=a...@gmail.com
<mailto:ljbr...@gmail.com>/C=aa
and the CA certificate is selfsigned:
~$ openssl x509 -issuer -subject -noout -in CA/cacert.pem
issuer=
/C=aa/ST=gg/L=ppp/O=mod/OU=eng/CN=crypto-admin/emailAddress=root@localhost
subject=
/C=aa/ST=gg/L=ppp/O=mod/OU=eng/CN=crypto-admin/emailAddress=root@localhost
The extensions for the CA are now:
X509v3 extensions:
X509v3 Subject Key Identifier:
ED:51:C6:3B:A3:72:B3:F5:33:80:F0:7C:15:FD:CE:FF:6C:B6:07:6A
X509v3 Authority Key Identifier:
keyid:ED:51:C6:3B:A3:72:B3:F5:33:80:F0:7C:15:FD:CE:FF:6C:B6:07:6A
DirName:/C=aa/ST=gg/L=ppp/O=mod/OU=eng/CN=crypto-admin/emailAddress=root@localhost
serial:A4:48:38:09:CB:16:6A:D0
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
I just cannot understand this verification problem - the client is
directly signed by the root CA!?
Any help appreciated
Thanks
LJB