Cert chain verify failure
Jeff Smith
Hi everyone,
I created a chain of 3 certificates as follows:
(1) a self-signed root ca cert, using
openssl genrsa -des3 -out ca.key
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -signkey ca.key -out ca.crt -in ca.csr
(2) a second ca cert, signed by the first ca, using
openssl genrsa -des3 -out ca2.key
openssl req -new -key ca2.key -out ca2.csr
openssl ca -cert ca.key -keyfile ca.key -out ca2.crt -infiles ca2.csr
(3) a user cert using
openssl genrsa -des3 -out user.key
openssl req -new -key user.key -out user.csr
openssl ca -cert ca2.crt -keyfile ca2.key -out user.crt -infiles user.csr
But when I try to verify user.crt using
openssl verify -CAfile ca.crt -untrusted ca2.crt user.crt
it fails with
error 18 at 0 depth lookup:self signed certificate
and
error 7 at 0 depth lookup:certificate signature failure
I have looked through faqs and related pages, could not figure out why.
Could someone tell me the reasons?
Thank you in advance.
jeff
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Jeff Smith
I forgot to mention that I could successfully verify ca2.crt after step (2)
using
% openssl verify -CAfile ca.crt ca2.crt
clnt1.crt: OK
In addition to the question I had, I am wondering if there is any
workaround. What I need is a 2-level ca hierarchy.
Thanks - Jeff
Jeff Smith
... and using -verbose option, the step (3) verify would produce:
% openssl verify -verbose -CAfile ca.crt -untrusted ca2.crt user.crt
error 18 at 0 depth lookup:self signed certificate
error 7 at 0 depth lookup:certificate signature failure
21970:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type
is not 01:rsa_pk1.c:100:
21970:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check
failed:rsa_eay.c:396:
21970:error:0D079006:asn1 encoding routines:ASN1_verify:bad get asn1 object
call:a_verify.c:109:
Thanks!
Dr S N Henson
>
> ... and using -verbose option, the step (3) verify would produce:
>
> % openssl verify -verbose -CAfile ca.crt -untrusted ca2.crt user.crt
>
> error 18 at 0 depth lookup:self signed certificate
> error 7 at 0 depth lookup:certificate signature failure
> 21970:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type
> is not 01:rsa_pk1.c:100:
> 21970:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check
> failed:rsa_eay.c:396:
> 21970:error:0D079006:asn1 encoding routines:ASN1_verify:bad get asn1 object
> call:a_verify.c:109:
>
Probably a typo somewhere which resulted in a certificate being signed
by the wrong key, usually though this produces an error.
The two CA certificates shouldn't have the same name: it will confuse
some software.
Also when you sign the CSR for the intermediate CA you need to include
the -extensions v3_ca command line option.
If that doesn't help then post the three certificates.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: she...@drh-consultancy.demon.co.uk
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: d...@celocom.com PGP key: via homepage.
Jeff Smith
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
______________________________________________________________________