Problem verifying a certificate chain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I'm reading the book "Network Security with OpenSSL" published by O'Reilly at the moment.
I'm following the example program and trying to establish a connection between a server and a client.
I did the following to create my certificates:

To create the root CA:
$ openssl req -newkey rsa:1024 -sha1 -nodes -keyout rootkey.pem -out rootreq.pem
$ openssl x509 -req -in rootreq.pem -sha1 -extensions v3_ca -signkey rootkey.pem -out rootcert.pem
$ cat rootcert.pem rootkey.pem > root.pem

To create the server CA and sign it with the root CA:
$ openssl req -newkey rsa:1024 -sha1 -nodes -keyout serverCAkey.pem -out serverCAreq.pem
$ openssl x509 -req -in serverCAreq.pem -sha1 -extensions v3_ca -CA root.pem -CAkey root.pem -CAcreateserial -out serverCAcert.pem
$ cat serverCAcert.pem serverCAkey.pem rootcert.pem > serverCA.pem

To create the server's certificate and sign it with the Server CA:
$ openssl req -newkey rsa:1024 -sha1 -nodes -keyout serverkey.pem -out serverreq.pem
$ openssl x509 -req -in serverreq.pem -sha1 -extensions usr_cert -CA serverCA.pem -CAkey serverCA.pem -CAcreateserial -out servercert.pem
$ cat servercert.pem serverkey.pem serverCAcert.pem rootcert.pem > server.pem

Which means I have the following certificate chain:
root.pem -> serverCA.pem -> server.pem

But when I try to make a connection I see following error at the client side:
Error with certificate at depth: 1
issuer  = /C=XX/ST=XX/L=test/O=Testorganisation/CN=Root CA
subject = /C=XX/ST=XX/L=test/O=Testorganisation/CN=Server CA
err 24:invalid CA certificate

I get the same error with this command:
$ openssl verify -CAfile root.pem -untrusted serverCA.pem server.pem
server.pem: C = XX, ST = XX, L = test, O = Testorganisation, CN = Server CA
error 24 at 1 depth lookup:invalid CA certificate
OK

When I sign my server certificate directly with the root CA and leave the server CA out everything works fine.

Did I do something wrong creating the certificates? Or where could the problem be?

Best Regards
Pascal Withopf
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux