Ben, I think you are right. My verify test is okay now if I match the subjectAltName to the nameConstraints defined by the subCA. Thanks. David On Mon, Jun 29, 2015 at 6:23 PM, Ben Humpert <ben at an3k.de> wrote: > Yes, because nameConstraints are inherited. > > I don't know exactly where the bug lies but I strongly advise NOT to > use nameConstraints because while there is a standard nobody has > implemented full or correctly working support for it. I ran various > tests some weeks ago and the result was horrible. See > https://mta.openssl.org/pipermail/openssl-users/2015-May/001387.html > and https://mta.openssl.org/pipermail/openssl-users/2015-May/001388.html > > 2015-06-29 23:58 GMT+02:00 David Li <dlipubkey at gmail.com>: >> The subCA has nameConstraints in the subCA configuration file: >> >> [name_constraints] >> permitted;DNS.0 = example.com >> >> client configuration file has subjectAltName: >> subjectAltName = DNS: www.cs.com >> >> So is this a mismatch? How come s_client/s_server test was okay? >> >> >> >> >> >> On Mon, Jun 29, 2015 at 2:12 PM, Ben Humpert <ben at an3k.de> wrote: >>> Do you use nameConstraints or have specified IP in subjectAltName? >>> Because OpenSSL can't handle that correctly. >>> >>> 2015-06-29 22:51 GMT+02:00 David Li <dlipubkey at gmail.com>: >>>> Hi, >>>> >>>> As a test, I have created a rootCA, a subCA (signed by the rootCA) and >>>> a client cert (signed by the subCA). Now I want to use verify, >>>> s_client and s_server to test them together. >>>> >>>> However I searched and tried a number of times but still unsure about >>>> the correct syntax format in verify command. This is what I did: >>>> >>>> cat rootCA.crt subCA.crt > caChain.crt >>>> >>>> openssl -verbose -verify -CAflie caChain.crt clientCert.crt >>>> >>>> openssl verify -CAfile caChain.crt client/clientCert.crt >>>> client/clientCert.crt: C = US, ST = California, O = David's company, >>>> CN = David's client cert, emailAddress = david.li at example.com >>>> error 47 at 0 depth lookup:permitted subtree violation >>>> >>>> >>>> However it seems my s_client and s_server test is OK: >>>> >>>> I created a caChain by cancatenating rootCA and subCA together: >>>> >>>> Server: >>>> openssl s_server -cert server/serverComb.crt -www -CAfile caChain.crt -verify 3 >>>> >>>> where serverComb.crt = cat of serverCert and server key >>>> >>>> Client: >>>> openssl s_client -CAfile caChina.crt -cert client/clientComb.crt >>>> >>>> where clientComb is = cat of clientCert and clientKey >>>> >>>> >>>> Anyone has any idea why verify command failed? >>>> >>>> Thanks. >>>> _______________________________________________ >>>> openssl-users mailing list >>>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >>> _______________________________________________ >>> openssl-users mailing list >>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >> _______________________________________________ >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
