Re: [CentOS] SSL fingerpring mismatch and issuer certificate problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Tue, Jun 13, 2006 19:28:58 PM +0200, io (mfioretti@xxxxxxxxx) wrote:
> I have a remote server running centos 4.3 and a home desktop running
> suse 10.1. I have generated an SSL certificate on the server, copied
> it on the desktop and run on the desktop:

After a lot of googling, I have found that:

openssl -verify -issuer_checks returns:

error 30 at 0 depth lookup:authority and subject key identifier mismatch

which, in turn, seems to be caused by screwed settings of
subjectKeyIdentifier and authorityKeyIdentifier in openssl.conf. But I
have not changed them from the default:

######################################################################
marco@polaris:~/geecheck/usr/share/ssl> grep -i keyidentifier openssl.cnf
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
authorityKeyIdentifier=keyid:always,issuer:always
marco@polaris:~/geecheck/usr/share/ssl>
########################################################################

should I change them? If yes, to which values? The ones suggested at
http://middleware.internet2.edu/hepki-tag/pki-lite/hepki-tag-pkilite-root-profile-current.html,
for example: are in contrast with them. I will try those settings
tomorrow, but I would really like to hear your opinion, before trying
all possible combinations of values...

TIA,
	marco

-- 
Marco Fioretti                    mfioretti, at the server mclink.it
Fedora Core 3 for low memory      http://www.rule-project.org/

Excuse me for being greedy, but I want freedom and good government.
Both a flourishing economy and a well-cared-for earth. A society that
is diverse and communal.. that offers both privacy and accountability.
One that can afford a big conscience, along with lots of neat toys.
                             -- David Brin -- The Transparent Society 
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux