I was thinking about manual verification of certificates on the command line. From what you wrote now, it seems that you are using some calls to the openssl library in a client-server application, maybe via other tools/webserver or so, and I understand that the server certificate was issued by a different CA from the one which issued the client certificate. If that's the case you need to declare the CA certificate of the "other side" as trusted. In other words the client must trust the CA which issued the server certificate, and (if you use a client certificate for authentication) the server must trust the CA which has issued the client certificate. You can trust a specific CA by copying the CA certificate into the certs directory which can be configured in openssl.cnf (on my Linux host the file is /etc/ssl/openssl.cnf which can be configured at compile time and the certs directory configured in this file is /etc/ssl/certs).
On 09.01.2014 06:59, Yvonne Wambui wrote: > thanks martin, your response shade some light and i can now understand what > im doing. Im trying to create a two way ssl connection, the problem when > verifying the connection to the server, its using my RootCA instead of the > server, hence throwing verification error 19. would you please advise on > what might be wrong > > > On Wed, Jan 8, 2014 at 8:27 PM, Martin Hecht <he...@hlrs.de> wrote: > >> On 08.01.2014 15:32, Yvonne Wambui wrote: >>> i get this error when verifing a non-self signed certificate. how do i >> make >>> it not point to the rootCA >>> >> It makes no sense to verify a non-self signed certificate without the >> rootCA certificate. To verify such a certificate you have to provide the >> certificate chain (which might be just one issuing CA, but often also >> some intermediate sub-CAs). A set of trusted CA certificates is provided >> by the distributions (most browsers bring their own collection of CA >> certificates). If the CA which has issued the certificate you are trying >> to verify is not included there, you can provide it on the command line >> for the openssl command or manually copy it into the folder your >> distribution is using, or you collect all your private trusted >> certificates in a folder which you manage. Depending which option you >> choose, you can specify the details when calling openssl verify by the >> parameters -CAfile or -CApath. You don't have to trust the intermediate >> CA's explicitly, but you have to provide the certificates if there are >> some (that's the -untrusted parameter). For details see the man page of >> the verify utility. >> >> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
