Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[openssl-users] How to verify a cert chain using Openssl command line?
1,241 views
Skip to first unread message
David Li
Jun 29, 2015, 4:53:19 PM6/29/15
to
Hi,
As a test, I have created a rootCA, a subCA (signed by the rootCA) and
a client cert (signed by the subCA). Now I want to use verify,
s_client and s_server to test them together.
However I searched and tried a number of times but still unsure about
the correct syntax format in verify command. This is what I did:
cat rootCA.crt subCA.crt > caChain.crt
openssl -verbose -verify -CAflie caChain.crt clientCert.crt
openssl verify -CAfile caChain.crt client/clientCert.crt
client/clientCert.crt: C = US, ST = California, O = David's company,
CN = David's client cert, emailAddress = davi...@example.com
error 47 at 0 depth lookup:permitted subtree violation
However it seems my s_client and s_server test is OK:
I created a caChain by cancatenating rootCA and subCA together:
Server:
openssl s_server -cert server/serverComb.crt -www -CAfile caChain.crt -verify 3
where serverComb.crt = cat of serverCert and server key
Client:
openssl s_client -CAfile caChina.crt -cert client/clientComb.crt
where clientComb is = cat of clientCert and clientKey
Anyone has any idea why verify command failed?
Thanks.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
As a test, I have created a rootCA, a subCA (signed by the rootCA) and
a client cert (signed by the subCA). Now I want to use verify,
s_client and s_server to test them together.
However I searched and tried a number of times but still unsure about
the correct syntax format in verify command. This is what I did:
cat rootCA.crt subCA.crt > caChain.crt
openssl -verbose -verify -CAflie caChain.crt clientCert.crt
openssl verify -CAfile caChain.crt client/clientCert.crt
client/clientCert.crt: C = US, ST = California, O = David's company,
CN = David's client cert, emailAddress = davi...@example.com
error 47 at 0 depth lookup:permitted subtree violation
However it seems my s_client and s_server test is OK:
I created a caChain by cancatenating rootCA and subCA together:
Server:
openssl s_server -cert server/serverComb.crt -www -CAfile caChain.crt -verify 3
where serverComb.crt = cat of serverCert and server key
Client:
openssl s_client -CAfile caChina.crt -cert client/clientComb.crt
where clientComb is = cat of clientCert and clientKey
Anyone has any idea why verify command failed?
Thanks.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Ben Humpert
Jun 29, 2015, 5:14:18 PM6/29/15
to
Do you use nameConstraints or have specified IP in subjectAltName?
Because OpenSSL can't handle that correctly.
Because OpenSSL can't handle that correctly.
David Li
Jun 29, 2015, 6:00:01 PM6/29/15
to
The subCA has nameConstraints in the subCA configuration file:
[name_constraints]
permitted;DNS.0 = example.com
client configuration file has subjectAltName:
subjectAltName = DNS: www.cs.com
So is this a mismatch? How come s_client/s_server test was okay?
[name_constraints]
permitted;DNS.0 = example.com
client configuration file has subjectAltName:
subjectAltName = DNS: www.cs.com
So is this a mismatch? How come s_client/s_server test was okay?
Ben Humpert
Jun 29, 2015, 9:25:35 PM6/29/15
to
Yes, because nameConstraints are inherited.
I don't know exactly where the bug lies but I strongly advise NOT to
use nameConstraints because while there is a standard nobody has
implemented full or correctly working support for it. I ran various
tests some weeks ago and the result was horrible. See
https://mta.openssl.org/pipermail/openssl-users/2015-May/001387.html
and https://mta.openssl.org/pipermail/openssl-users/2015-May/001388.html
I don't know exactly where the bug lies but I strongly advise NOT to
use nameConstraints because while there is a standard nobody has
implemented full or correctly working support for it. I ran various
tests some weeks ago and the result was horrible. See
https://mta.openssl.org/pipermail/openssl-users/2015-May/001387.html
and https://mta.openssl.org/pipermail/openssl-users/2015-May/001388.html
David Li
Jun 30, 2015, 12:15:29 PM6/30/15
to
Ben,
I think you are right. My verify test is okay now if I match the
subjectAltName to the nameConstraints defined by the subCA.
Thanks.
David
I think you are right. My verify test is okay now if I match the
subjectAltName to the nameConstraints defined by the subCA.
Thanks.
David
suneel...@gmail.com
Aug 12, 2019, 11:02:31 PM8/12/19
to
Hello,
I'm very new on this and looking for the latest windows compatible (Win32OpenSSL) OpenSSL tool with the instructions to generate the SSL by using cmd and without installation of OpenSSL tool.
Any assistance will be highly appreciated, I can be reached on email address - Suneel...@gmail.com
Thanking you in Advance!
Best Regards,
Suneel
I'm very new on this and looking for the latest windows compatible (Win32OpenSSL) OpenSSL tool with the instructions to generate the SSL by using cmd and without installation of OpenSSL tool.
Any assistance will be highly appreciated, I can be reached on email address - Suneel...@gmail.com
Thanking you in Advance!
Best Regards,
Suneel
Robert Rodriguez
Jun 2, 2023, 6:39:58 AM6/2/23
to
As the Halloween events go on for the whole night you always need to wear a costume that keeps you comfortable and relaxed.
https://daphnecostume.shop/
https://daphnecostume.shop/
0 new messages