Check the digests used for signing. Windows (after updates) may refuse MD5
signatures on certificates; I would recommend regenerating new certs with at
least SHA256.
-Kyle H
On September 22, 2014 9:34:59 AM PST, "Vellore-Arumugam, Jagdish (Svr
Automation)" <jagdish.arumu...@hp.com> wrote:
>Hi,
>
>I am getting a 'Certificate Signature Failure' (verify
>error:num=7:certificate signature failure) on Windows Server 2008 R2
>Enterprise during certificate verification on the client side. I used
>the 'openssl s_client' command to check this behavior after seeing SSL
>handshake failure in my application that uses Python M2Crypto for the
>SSL communication. This failure is seen only on the windows platform,
>RHEL and Ubuntu running the same python app using the same certificates
>does have this problem. The CAs are loaded from files that contain:
>
>Cert #1: Single self-signed cert with Subject ='ABC' and Issuer = 'ABC'
>
>And the following chain of 3 certs
>
>Cert#2: This is part of a cert chain with Subject = 'ABC' and Issuer =
>'ABC'
>Cert#3: Intermediate CA Subject = 'ABC' and Issuer = 'Custom CA'
>Cert#4: Self-signed root Subject = 'Custom CA' and Issuer = 'Custom CA'
>
>Cert #1 and the chain have overlapping validity dates, so both are
>currently valid.
>
>I encounter the problem only when I load 2 such CA files. One that
>corresponds to the server cert ('ABC') and another (say 'XYZ') that is
>used to verify a different server cert. The structure of both the certs
>are identical and the chains in them use the same self-signed root
>cert. But each have different Subject and Issuer for the top level cert
>('ABC' and 'XYZ).
>
>I used exactly the same certificates for my Unix clients and they do
>not have this problem. An identical 'openssl s_client' command is
>successful on the Unix clients.
>
>I am using OpenSSL 1.0.1h libraries.
>
>Any suggestions on how to troubleshoot/resolve this problem will be
>very helpful.
>
>Thank you,
>Jag.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
