Hi,
I am getting a 'Certificate Signature Failure' (verify error:num=7:certificate
signature failure) on Windows Server 2008 R2 Enterprise during certificate
verification on the client side. I used the 'openssl s_client' command to check
this behavior after seeing SSL handshake failure in my application that uses
Python M2Crypto for the SSL communication. This failure is seen only on the
windows platform, RHEL and Ubuntu running the same python app using the same
certificates does have this problem. The CAs are loaded from files that contain:
Cert #1: Single self-signed cert with Subject ='ABC' and Issuer = 'ABC'
And the following chain of 3 certs
Cert#2: This is part of a cert chain with Subject = 'ABC' and Issuer = 'ABC'
Cert#3: Intermediate CA Subject = 'ABC' and Issuer = 'Custom CA'
Cert#4: Self-signed root Subject = 'Custom CA' and Issuer = 'Custom CA'
Cert #1 and the chain have overlapping validity dates, so both are currently
valid.
I encounter the problem only when I load 2 such CA files. One that corresponds
to the server cert ('ABC') and another (say 'XYZ') that is used to verify a
different server cert. The structure of both the certs are identical and the
chains in them use the same self-signed root cert. But each have different
Subject and Issuer for the top level cert ('ABC' and 'XYZ).
I used exactly the same certificates for my Unix clients and they do not have
this problem. An identical 'openssl s_client' command is successful on the Unix
clients.
I am using OpenSSL 1.0.1h libraries.
Any suggestions on how to troubleshoot/resolve this problem will be very
helpful.
Thank you,
Jag.
