Hi Steve, > 2020/10/04 10:44:05 OpenSSL error: C = CA, O = Enterprises, OU = PKI, CN = > Enterprises DEV Intermediate Linux CA > error 7 at 0 depth lookup: certificate signature failure > 140027263935616:error:0D0C50C7:asn1 encoding > routines:ASN1_item_verify:unknown signature > algorithm:../crypto/asn1/a_verify.c:121: > 2020/10/04 10:44:05 I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ > => 512 > 2020/10/04 10:44:05 I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => > OpenXPKI::Crypto::Backend::OpenSSL::Command::verify_cert, __ERRVAL__ => > I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 > I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED > __ERRVAL__: I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 > __COMMAND__: OpenXPKI::Crypto::Backend::OpenSSL::Command::verify_cert > > I'm working on better understanding interoperability between Microsoft and > OpenSSL. the RootCA Signing the issuing SubCA is Microsoft Certificate > Services. The security provider is ECDSA_P521#Microsot Software Key Storage > Provider.
Which OpenSSL version are you using? Would you mind providing us with the Root CA and Intermediate CA certificate so we can investigate the problem? > - Do I need to do anything to support ECC certs on OpenXPKI? No, it should just work. > - what should I look into on the Microsoft side (concepts, not actual > settings or references to useful MS Docs, unless you know your MS CS). I've > got where in the registry to look to set things, would need to know what to > set for the certificate service to sign properly. if that's the problem. If the certificates are encoded properly according to RFC 5280 it should work. However, I have seen really *strange* things with regard to supposedly. BTW, did you truncate the parsed CA certificates' output? No extensions at all? But still X.509v3? I am confused. Cheers Martin -- Cynops GmbH Dipl.-Ing. Martin Bartosch http://www.cynops.de Kirchgasse 10c mobile: +49 (0)172 6614304 mail: i...@cynops.de 61449 Steinbach/Ts. fon: +49 (0)6171 6981803 fax: +49 (0)6171 6981809 Geschäftsführer: Martin Bartosch USt-IdNr: DE 213094986 HRB 7833 Amtsgericht Bad Homburg v. d. Höhe _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
