Re: [openssl-users] Certificate validating (openssl -verify ...) and interpreting messages
On 18/05/2016 21:38, Walter H. wrote: On 18.05.2016 21:10, Viktor Dukhovni wrote: On May 18, 2016, at 1:26 PM, Walter H. wrote: openssl verify -CAfile /etc/pki/tls/certs/ca-bundle.trust.crt -trusted_first -untrusted /tmp/chain.pem /tmp/cert.pem /tmp/chain.pem contains a root certificate /tmp/cert.pem contains a certificate that was signed by this root certificate; I get the following output /tmp/cert.pem: CN = ..., O = ..., ST = ..., C = ... error 19 at 1 depth lookup:self signed certificate in certificate chain of couse the number 19 means 'self signed certificate in certificate chain' as shown here: https://www.openssl.org/docs/manmaster/apps/verify.html but what does the number 1 (at ... depth) say? It means that while constructing a chain, the immediate issue of the leaf certificate was an untrusted self-signed certificate. The leaf certificate has depth 1, its issuer has depth 0. Ah, ok; in case there had been a chain with 3 certificates 2 means the leaf certificate, 1 means the issuing intermediate and 0 means the self signed root? No, 0 is always the leaf, 1 is always the issuer of the leaf 2 is always the issuer of the issuer of the leaf etc. So for a chain with 3 certificates, 2 is the root. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Certificate validating (openssl -verify ...) and interpreting messages
On 18.05.2016 21:10, Viktor Dukhovni wrote: On May 18, 2016, at 1:26 PM, Walter H. wrote: openssl verify -CAfile /etc/pki/tls/certs/ca-bundle.trust.crt -trusted_first -untrusted /tmp/chain.pem /tmp/cert.pem /tmp/chain.pem contains a root certificate /tmp/cert.pem contains a certificate that was signed by this root certificate; I get the following output /tmp/cert.pem: CN = ..., O = ..., ST = ..., C = ... error 19 at 1 depth lookup:self signed certificate in certificate chain of couse the number 19 means 'self signed certificate in certificate chain' as shown here: https://www.openssl.org/docs/manmaster/apps/verify.html but what does the number 1 (at ... depth) say? It means that while constructing a chain, the immediate issue of the leaf certificate was an untrusted self-signed certificate. The leaf certificate has depth 1, its issuer has depth 0. Ah, ok; in case there had been a chain with 3 certificates 2 means the leaf certificate, 1 means the issuing intermediate and 0 means the self signed root? Thanks, Walter smime.p7s Description: S/MIME Cryptographic Signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Certificate validating (openssl -verify ...) and interpreting messages
> On May 18, 2016, at 1:26 PM, Walter H. wrote: > > openssl verify -CAfile /etc/pki/tls/certs/ca-bundle.trust.crt -trusted_first > -untrusted /tmp/chain.pem /tmp/cert.pem > > /tmp/chain.pem contains a root certificate > /tmp/cert.pem contains a certificate that was signed by this root certificate; > > I get the following output > > /tmp/cert.pem: CN = ..., O = ..., ST = ..., C = ... > error 19 at 1 depth lookup:self signed certificate in certificate chain > > of couse the number 19 means 'self signed certificate in certificate chain' > as shown here: https://www.openssl.org/docs/manmaster/apps/verify.html > > but what does the number 1 (at ... depth) say? It means that while constructing a chain, the immediate issue of the leaf certificate was an untrusted self-signed certificate. The leaf certificate has depth 1, its issuer has depth 0. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Certificate validating (openssl -verify ...) and interpreting messages
Hello, when running this: openssl verify -CAfile /etc/pki/tls/certs/ca-bundle.trust.crt -trusted_first -untrusted /tmp/chain.pem /tmp/cert.pem /tmp/chain.pem contains a root certificate /tmp/cert.pem contains a certificate that was signed by this root certificate; I get the following output /tmp/cert.pem: CN = ..., O = ..., ST = ..., C = ... error 19 at 1 depth lookup:self signed certificate in certificate chain of couse the number 19 means 'self signed certificate in certificate chain' as shown here: https://www.openssl.org/docs/manmaster/apps/verify.html but what does the number 1 (at ... depth) say? does this reference a certificate of the whole chain, if so, which one the root or the other one? Thanks for help; Greetings from Austria, Walter smime.p7s Description: S/MIME Cryptographic Signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users