On Tue, Jun 13, 2006 19:28:58 PM +0200, io (mfioretti@xxxxxxxxx) wrote: > I have a remote server running centos 4.3 and a home desktop running > suse 10.1. I have generated an SSL certificate on the server, copied > it on the desktop and run on the desktop: After a lot of googling, I have found that: openssl -verify -issuer_checks returns: error 30 at 0 depth lookup:authority and subject key identifier mismatch which, in turn, seems to be caused by screwed settings of subjectKeyIdentifier and authorityKeyIdentifier in openssl.conf. But I have not changed them from the default: ###################################################################### marco@polaris:~/geecheck/usr/share/ssl> grep -i keyidentifier openssl.cnf subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. authorityKeyIdentifier=keyid:always,issuer:always marco@polaris:~/geecheck/usr/share/ssl> ######################################################################## should I change them? If yes, to which values? The ones suggested at http://middleware.internet2.edu/hepki-tag/pki-lite/hepki-tag-pkilite-root-profile-current.html, for example: are in contrast with them. I will try those settings tomorrow, but I would really like to hear your opinion, before trying all possible combinations of values... TIA, marco -- Marco Fioretti mfioretti, at the server mclink.it Fedora Core 3 for low memory http://www.rule-project.org/ Excuse me for being greedy, but I want freedom and good government. Both a flourishing economy and a well-cared-for earth. A society that is diverse and communal.. that offers both privacy and accountability. One that can afford a big conscience, along with lots of neat toys. -- David Brin -- The Transparent Society _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos