> It was found in the chain of certificates sent by the client to the > server for validation Again, I could be wrong but that is my point. I do not think the client is sending a chain of certificates, but rather only one, the CA-signed client certificate. (I wrote and configured the client, and generated the certificate, and loaded it into the certificate store.) Charles -----Original Message----- From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of Viktor Dukhovni Sent: Saturday, December 1, 2018 12:47 PM To: openssl-users@xxxxxxxxxxx Subject: Re: Self-signed error when using SSL_CTX_load_verify_locations CApath On Sat, Dec 01, 2018 at 12:29:42PM -0800, Charles Mills wrote: > I could easily be wrong -- you guys know more about certificates than I ever > will -- but I do not *think* there is any self-signed certificate in this > scenario. There should be exactly two certificates in this discussion: > > 1. The client certificate. It is not self-signed (in the correct sense of > the term, as opposed to the erroneous popular sense): it is signed by my > "in-house" CA. > > 2. The CA certificate. Yes, it is a root and self-signed, but you didn't > find it, right? You seem to be stuck on a narrow meaning of the word "found". The self-signed certificate *was* found, but not in the trust-store. It was found in the chain of certificates sent by the client to the server for validation. That's what the error message is telling -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
