Check the digests used for signing. Windows (after updates) may refuse MD5 signatures on certificates; I would recommend regenerating new certs with at least SHA256.
-Kyle H On September 22, 2014 9:34:59 AM PST, "Vellore-Arumugam, Jagdish (Svr Automation)" <jagdish.arumu...@hp.com> wrote: >Hi, > >I am getting a 'Certificate Signature Failure' (verify >error:num=7:certificate signature failure) on Windows Server 2008 R2 >Enterprise during certificate verification on the client side. I used >the 'openssl s_client' command to check this behavior after seeing SSL >handshake failure in my application that uses Python M2Crypto for the >SSL communication. This failure is seen only on the windows platform, >RHEL and Ubuntu running the same python app using the same certificates >does have this problem. The CAs are loaded from files that contain: > >Cert #1: Single self-signed cert with Subject ='ABC' and Issuer = 'ABC' > >And the following chain of 3 certs > >Cert#2: This is part of a cert chain with Subject = 'ABC' and Issuer = >'ABC' >Cert#3: Intermediate CA Subject = 'ABC' and Issuer = 'Custom CA' >Cert#4: Self-signed root Subject = 'Custom CA' and Issuer = 'Custom CA' > >Cert #1 and the chain have overlapping validity dates, so both are >currently valid. > >I encounter the problem only when I load 2 such CA files. One that >corresponds to the server cert ('ABC') and another (say 'XYZ') that is >used to verify a different server cert. The structure of both the certs >are identical and the chains in them use the same self-signed root >cert. But each have different Subject and Issuer for the top level cert >('ABC' and 'XYZ). > >I used exactly the same certificates for my Unix clients and they do >not have this problem. An identical 'openssl s_client' command is >successful on the Unix clients. > >I am using OpenSSL 1.0.1h libraries. > >Any suggestions on how to troubleshoot/resolve this problem will be >very helpful. > >Thank you, >Jag. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.