[openssl-users] How to verify a cert chain using Openssl command line?

David Li dlipubkey at gmail.com
Mon Jun 29 21:58:07 UTC 2015


The subCA  has nameConstraints in the subCA configuration file:

[name_constraints]
permitted;DNS.0 = example.com

client configuration file has subjectAltName:
subjectAltName = DNS: www.cs.com

So is this a mismatch? How come s_client/s_server test was okay?





On Mon, Jun 29, 2015 at 2:12 PM, Ben Humpert <ben at an3k.de> wrote:
> Do you use nameConstraints or have specified IP in subjectAltName?
> Because OpenSSL can't handle that correctly.
>
> 2015-06-29 22:51 GMT+02:00 David Li <dlipubkey at gmail.com>:
>> Hi,
>>
>> As a test, I have created a rootCA, a subCA (signed by the rootCA) and
>> a client cert (signed by the subCA). Now I want to use verify,
>> s_client and s_server to test them together.
>>
>> However I searched and tried a number of times but still unsure about
>> the correct syntax format in verify command. This is what I did:
>>
>> cat rootCA.crt subCA.crt > caChain.crt
>>
>> openssl -verbose -verify -CAflie caChain.crt clientCert.crt
>>
>> openssl verify -CAfile caChain.crt client/clientCert.crt
>> client/clientCert.crt: C = US, ST = California, O = David's company,
>> CN = David's client cert, emailAddress = david.li at example.com
>> error 47 at 0 depth lookup:permitted subtree violation
>>
>>
>> However it seems my s_client and s_server test is OK:
>>
>> I created a caChain by cancatenating rootCA and subCA together:
>>
>> Server:
>> openssl s_server -cert server/serverComb.crt -www -CAfile caChain.crt -verify 3
>>
>> where serverComb.crt = cat of serverCert and server key
>>
>> Client:
>> openssl s_client -CAfile caChina.crt -cert client/clientComb.crt
>>
>> where clientComb is  = cat of clientCert and clientKey
>>
>>
>> Anyone has any idea why verify command failed?
>>
>> Thanks.
>> _______________________________________________
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


More information about the openssl-users mailing list