I could easily be wrong -- you guys know more about certificates than I ever will -- but I do not *think* there is any self-signed certificate in this scenario. There should be exactly two certificates in this discussion: 1. The client certificate. It is not self-signed (in the correct sense of the term, as opposed to the erroneous popular sense): it is signed by my "in-house" CA. 2. The CA certificate. Yes, it is a root and self-signed, but you didn't find it, right? (Because of my error in not running the hash utility.) If you found it what is the problem? Does the hashing process imply trust? Then the error message should be "untrusted CA certificate," no? (There is only one certificate in the CApath folder.) Am I missing something? Charles -----Original Message----- From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of Viktor Dukhovni Sent: Friday, November 30, 2018 4:37 PM To: openssl-users@xxxxxxxxxxx Subject: Re: Self-signed error when using SSL_CTX_load_verify_locations CApath > On Nov 30, 2018, at 7:25 PM, Charles Mills <charlesm@xxxxxxx> wrote: > > Well, it ought then to say "I couldn't find any certificates at all" rather > than "I found a self-signed certificate" when it did not. A self-signed certificate was found, in the chain being verified. The message should likely be more clear (perhaps along the lines suggested by Michael Wojcik), but it is not incorrect. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
