I have One-Tier PKI, and I have self-signed CA (ca.crt) and host cert (host.crt).
root@radius2:/tmp/certs# c_rehash ./ca-list/
root@radius2:/tmp/certs# tree
.
├── ca.crt
├── ca-list
│ ├── 577f4bb3.0 -> ca.crt
│ ├── ca.crt -> ../ca.crt
│ └── ed3eb11a.0 -> ca.crt
└── host.crt
I'm trying to verify certificate against CA, and it says "untrusted".
root@radius2:/tmp/certs# openssl verify -verbose -crl_download -crl_check -show_chain -verify_depth 10 -issuer_checks -no_alt_chains -check_ss_sig -CAfile /tmp/certs/ca.crt -CApath /tmp/certs/ca-list /tmp/certs/host.crt
/tmp/certs/host.crt: OK
Chain:
depth=0: O = OD.FREEIPA.XYZ, CN = rpi4b.od.freeipa.xyz (untrusted)
depth=1: O = OD.FREEIPA.XYZ, CN = OD.FREEIPA.XYZ Certificate Authority
Could anyone explain why this shows "untrusted" and how to make it "trusted"?
root@radius2:/tmp/certs# openssl version
OpenSSL 3.0.14 4 Jun 2024 (Library: OpenSSL 3.0.14 4 Jun 2024)
root@radius2:/tmp/certs# ldd /usr/sbin/freeradius | grep libssl
libssl.so.3 => /lib/x86_64-linux-gnu/libssl.so.3 (0x00007f6665d2f000)
root@radius2:/tmp/certs# strings /lib/x86_64-linux-gnu/libssl.so.3 | grep OPENSSL_3
OPENSSL_3.0.0
OPENSSL_3.0.3
I have the same issue for FreeRADIUS running this server :
Tue Nov 5 22:37:37 2024 : Warning: Certificate chain - 1 cert(s)
untrusted
Tue Nov 5 22:37:37 2024 : Warning: (TLS) untrusted certificate with
depth [1] subject name /O=OD.FREEIPA.XYZ/CN=OD.FREEIPA.XYZ Certificate
Authority
Tue Nov 5 22:37:37 2024 : Warning: (TLS) untrusted certificate with
depth [0] subject name /O=OD.FREEIPA.XYZ/CN=rpi4b.od.freeipa.xyz
--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx.
To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/f9215054-bf1d-4447-8b7f-a4d02aa0818dn%40openssl.org.
