On Sat, Dec 01, 2018 at 12:29:42PM -0800, Charles Mills wrote: > I could easily be wrong -- you guys know more about certificates than I ever > will -- but I do not *think* there is any self-signed certificate in this > scenario. There should be exactly two certificates in this discussion: > > 1. The client certificate. It is not self-signed (in the correct sense of > the term, as opposed to the erroneous popular sense): it is signed by my > "in-house" CA. > > 2. The CA certificate. Yes, it is a root and self-signed, but you didn't > find it, right? You seem to be stuck on a narrow meaning of the word "found". The self-signed certificate *was* found, but not in the trust-store. It was found in the chain of certificates sent by the client to the server for validation. That's what the error message is telling you, the chain building algorithm found a self-signed certificate in the peer's chain, without finding a suitable trust-anchor in the trust-store. So validation cannot proceed further and fails. > (Because of my error in not running the hash utility.) > If you found it what is the problem? ... Everything from here down is based on an incorrect reading of the word "found". > Am I missing something? Yes: "found" != "found in the trust store" Think "encountered" rather than "found" if that's more clear. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
