Hi, I'm reading the book "Network Security with OpenSSL" published by O'Reilly at the moment. I'm following the example program and trying to establish a connection between a server and a client. I did the following to create my certificates:
To create the root CA: $ openssl req -newkey rsa:1024 -sha1 -nodes -keyout rootkey.pem -out rootreq.pem $ openssl x509 -req -in rootreq.pem -sha1 -extensions v3_ca -signkey rootkey.pem -out rootcert.pem $ cat rootcert.pem rootkey.pem > root.pem To create the server CA and sign it with the root CA: $ openssl req -newkey rsa:1024 -sha1 -nodes -keyout serverCAkey.pem -out serverCAreq.pem $ openssl x509 -req -in serverCAreq.pem -sha1 -extensions v3_ca -CA root.pem -CAkey root.pem -CAcreateserial -out serverCAcert.pem $ cat serverCAcert.pem serverCAkey.pem rootcert.pem > serverCA.pem To create the server's certificate and sign it with the Server CA: $ openssl req -newkey rsa:1024 -sha1 -nodes -keyout serverkey.pem -out serverreq.pem $ openssl x509 -req -in serverreq.pem -sha1 -extensions usr_cert -CA serverCA.pem -CAkey serverCA.pem -CAcreateserial -out servercert.pem $ cat servercert.pem serverkey.pem serverCAcert.pem rootcert.pem > server.pem Which means I have the following certificate chain: root.pem -> serverCA.pem -> server.pem But when I try to make a connection I see following error at the client side: Error with certificate at depth: 1 issuer = /C=XX/ST=XX/L=test/O=Testorganisation/CN=Root CA subject = /C=XX/ST=XX/L=test/O=Testorganisation/CN=Server CA err 24:invalid CA certificate I get the same error with this command: $ openssl verify -CAfile root.pem -untrusted serverCA.pem server.pem server.pem: C = XX, ST = XX, L = test, O = Testorganisation, CN = Server CA error 24 at 1 depth lookup:invalid CA certificate OK When I sign my server certificate directly with the root CA and leave the server CA out everything works fine. Did I do something wrong creating the certificates? Or where could the problem be? Best Regards Pascal Withopf
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users