The subCA has nameConstraints in the subCA configuration file: [name_constraints] permitted;DNS.0 = example.com client configuration file has subjectAltName: subjectAltName = DNS: www.cs.com So is this a mismatch? How come s_client/s_server test was okay? On Mon, Jun 29, 2015 at 2:12 PM, Ben Humpert <ben at an3k.de> wrote: > Do you use nameConstraints or have specified IP in subjectAltName? > Because OpenSSL can't handle that correctly. > > 2015-06-29 22:51 GMT+02:00 David Li <dlipubkey at gmail.com>: >> Hi, >> >> As a test, I have created a rootCA, a subCA (signed by the rootCA) and >> a client cert (signed by the subCA). Now I want to use verify, >> s_client and s_server to test them together. >> >> However I searched and tried a number of times but still unsure about >> the correct syntax format in verify command. This is what I did: >> >> cat rootCA.crt subCA.crt > caChain.crt >> >> openssl -verbose -verify -CAflie caChain.crt clientCert.crt >> >> openssl verify -CAfile caChain.crt client/clientCert.crt >> client/clientCert.crt: C = US, ST = California, O = David's company, >> CN = David's client cert, emailAddress = david.li at example.com >> error 47 at 0 depth lookup:permitted subtree violation >> >> >> However it seems my s_client and s_server test is OK: >> >> I created a caChain by cancatenating rootCA and subCA together: >> >> Server: >> openssl s_server -cert server/serverComb.crt -www -CAfile caChain.crt -verify 3 >> >> where serverComb.crt = cat of serverCert and server key >> >> Client: >> openssl s_client -CAfile caChina.crt -cert client/clientComb.crt >> >> where clientComb is = cat of clientCert and clientKey >> >> >> Anyone has any idea why verify command failed? >> >> Thanks. >> _______________________________________________ >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
