[openssl-users] A self-signed CA certificate in the CA file *sometimes* stops verification working

Viktor Dukhovni openssl-users at dukhovni.org
Tue Sep 6 17:46:33 UTC 2016

> On Sep 6, 2016, at 11:53 AM, John Unsworth <John.Unsworth at synchronoss.com> wrote:
> I have noticed the following behaviour:
> 1 Create a certificate file with two CA certificates, one for the server being connected to (server A) and one for another server (server B).
> 2 Whichever way the CA certificates are ordered the connect works OK.
> 3 Add a self-signed CA certificate in the file before the one for server A. The connect fails ‘Verify return code: 21 (unable to verify the first certificate)’.
> 4 Move the self-signed CA certificate after the one for server A. The connect works OK.
> Why should the self-signed certificate affect the connection when the required CA certificate is in the certificate file? Is this a bug?

You've provided much too little detail for a meaningful answer.

Post the server chain being validated as reported by

   $ openssl s_client -showcerts -connect <server>:443 > chain.pem
   $ openssl crl2pkcs7 -nocrl -certfile chain.pem |
     openssl pkcs7 -print_certs

and all three CA certificates.  Do not post any of the private keys.


More information about the openssl-users mailing list