Do you use nameConstraints or have specified IP in subjectAltName? Because OpenSSL can't handle that correctly. 2015-06-29 22:51 GMT+02:00 David Li <dlipubkey at gmail.com>: > Hi, > > As a test, I have created a rootCA, a subCA (signed by the rootCA) and > a client cert (signed by the subCA). Now I want to use verify, > s_client and s_server to test them together. > > However I searched and tried a number of times but still unsure about > the correct syntax format in verify command. This is what I did: > > cat rootCA.crt subCA.crt > caChain.crt > > openssl -verbose -verify -CAflie caChain.crt clientCert.crt > > openssl verify -CAfile caChain.crt client/clientCert.crt > client/clientCert.crt: C = US, ST = California, O = David's company, > CN = David's client cert, emailAddress = david.li at example.com > error 47 at 0 depth lookup:permitted subtree violation > > > However it seems my s_client and s_server test is OK: > > I created a caChain by cancatenating rootCA and subCA together: > > Server: > openssl s_server -cert server/serverComb.crt -www -CAfile caChain.crt -verify 3 > > where serverComb.crt = cat of serverCert and server key > > Client: > openssl s_client -CAfile caChina.crt -cert client/clientComb.crt > > where clientComb is = cat of clientCert and clientKey > > > Anyone has any idea why verify command failed? > > Thanks. > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
