[openssl-users] Problem verifying a certificate chain

Pascal Withopf pwithopf at adiscon.com
Wed Nov 29 15:57:05 UTC 2017


$ openssl x509 -in serverCA.pem -noout -purpose

gave me this

Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No

If the purpose is incorrect how can I set it?

2017-11-29 16:48 GMT+01:00 Viktor Dukhovni <openssl-users at dukhovni.org>:

> On Wed, Nov 29, 2017 at 04:33:39PM +0100, Pascal Withopf wrote:
>
> > Which means I have the following certificate chain:
> > root.pem -> serverCA.pem -> server.pem
> >
> > But when I try to make a connection I see following error at the client
> > side:
> > Error with certificate at depth: 1
> > issuer  = /C=XX/ST=XX/L=test/O=Testorganisation/CN=Root CA
> > subject = /C=XX/ST=XX/L=test/O=Testorganisation/CN=Server CA
> > err 24:invalid CA certificate
>
> The intermediate CA extensions are likely incorrect.  Post
> the certificate in question.
>
> > Did I do something wrong creating the certificates?
>
> Likely yes.
>
> --
>         Viktor.
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171129/50f16fd4/attachment.html>


More information about the openssl-users mailing list