[openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath
Viktor Dukhovni
openssl-users at dukhovni.org
Sat Dec 1 20:46:46 UTC 2018
On Sat, Dec 01, 2018 at 12:29:42PM -0800, Charles Mills wrote:
> I could easily be wrong -- you guys know more about certificates than I ever
> will -- but I do not *think* there is any self-signed certificate in this
> scenario. There should be exactly two certificates in this discussion:
>
> 1. The client certificate. It is not self-signed (in the correct sense of
> the term, as opposed to the erroneous popular sense): it is signed by my
> "in-house" CA.
>
> 2. The CA certificate. Yes, it is a root and self-signed, but you didn't
> find it, right?
You seem to be stuck on a narrow meaning of the word "found". The
self-signed certificate *was* found, but not in the trust-store.
It was found in the chain of certificates sent by the client to the
server for validation. That's what the error message is telling
you, the chain building algorithm found a self-signed certificate
in the peer's chain, without finding a suitable trust-anchor in the
trust-store. So validation cannot proceed further and fails.
> (Because of my error in not running the hash utility.)
> If you found it what is the problem? ...
Everything from here down is based on an incorrect reading of the
word "found".
> Am I missing something?
Yes: "found" != "found in the trust store"
Think "encountered" rather than "found" if that's more clear.
--
Viktor.
More information about the openssl-users
mailing list