> On Dec 28, 2017, at 4:54 AM, Manuel Wagesreither <ManWag@xxxxxxxxxxx> wrote: > > Thanks for your feedback. Unfortunately I cannot include the certificate raw data as it may contain sensitive information. Also, I'm unable to replace them with self-made certificates as I don't know the parameters the original ones were created with in the first place. The original creators are inaccessible at the moment. If the problem persists, I will reproduce the problem with test certificates (whose raw data I can publish) in a few weeks. You should be able to publish edited output of: openssl crl2pkcs7 -nocrl -certfile chain.pem | openssl pkcs7 -print_certs -text -noout With any sensitive values hand-replaced with "censored-NNN" where the "NNN" part uniquely corresponds to each original value (same values get same "NNN", distinct values get distinct "NNN"). The "chain.pem" file should have the leaf certificate first, then its issuer, then the issuer of that certificate, ... up to the trust anchor. Please also make sure that the chain in question passes (with OpenSSL 1.1.0 per your report) is reported verified with: $ openssl verify -no-CApath -no-CAfile \ -trusted root.pem -untrusted chain.pem \ chain.pem Where "root.pem" contains just the last certificate from the chain.pem file. Post the output of that command for 1.1.0. Please also report similar output for 1.0.2, with the command modified to: $ capath=$(mktemp -d empty.XXXXXX) $ cafile=root.pem $ openssl verify -CApath $capath -CAfile root.pem \ -trusted root.pem -untrusted chain.pem \ chain.pem Again, if anything in the output is sensitive, censor the values, with "censoredNNN" matching the replacements in the certificate chain. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users