> From: openssl-users@xxxxxxxxxxx <openssl-users@xxxxxxxxxxx> On Behalf Of Aleksei “filimonic” Filimonov > I have One-Tier PKI, and I have self-signed CA (ca.crt) and host cert (host.crt). ... > root@radius2:/tmp/certs# openssl verify -verbose -crl_download -crl_check -show_chain > -verify_depth 10 -issuer_checks -no_alt_chains -check_ss_sig -CAfile > /tmp/certs/ca.crt -CApath /tmp/certs/ca-list /tmp/certs/host.crt Typically use -CAfile *or* -CApath, not both. -issuer_checks and -no_alt_chains are deprecated. Do you actually have a CRL server? > /tmp/certs/host.crt: OK > Chain: > depth=0: O = OD.FREEIPA.XYZ, CN = rpi4b.od.freeipa.xyz (untrusted) > depth=1: O = OD.FREEIPA.XYZ, CN = OD.FREEIPA.XYZ Certificate Authority I believe openssl verify always lists certificates that aren't trusted in the path as "untrusted". The trusted certificates are the ones found via -CAfile, -CApath, or -trusted (which can't be specified with -CAfile or -CApath). verify is reporting that the chain starts with an untrusted certificate, but can be built to a trusted one. > I have the same issue for FreeRADIUS running this server : > Tue Nov 5 22:37:37 2024 : Warning: Certificate chain - 1 cert(s) untrusted > Tue Nov 5 22:37:37 2024 : Warning: (TLS) untrusted certificate with depth [1] > subject name /O=OD.FREEIPA.XYZ/CN=OD.FREEIPA.XYZ Certificate Authority > Tue Nov 5 22:37:37 2024 : Warning: (TLS) untrusted certificate with depth [0] > subject name /O=OD.FREEIPA.XYZ/CN=rpi4b.od.freeipa.xyz No, you don't have the same issue with FreeRADIUS. openssl verify says the root is trusted; FreeRADIUS says it is not. The root is not in the collection of trust anchors for FreeRADIUS. I don't work with FreeRADIUS, so I don't know how to fix that, but it's a FreeRADIUS problem, not an OpenSSL one. Michael Wojcik Distinguished Techologist, Rocket Software ================================ Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ Main Office Toll Free Number: +1 855.577.4323 Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy ================================ This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you. -- You received this message because you are subscribed to the Google Groups "openssl-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx. To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/SA1PR07MB9764E1D144E868000A9D77E5C0532%40SA1PR07MB9764.namprd07.prod.outlook.com.
