[openssl-users] Self signed cert issues

Viktor Dukhovni openssl-users at dukhovni.org
Mon Sep 19 14:25:14 UTC 2016

On Mon, Sep 19, 2016 at 06:55:37AM -0400, shawn wilson wrote:

> End goal - I don't want the machine (curl, wget, git, etc) to throw errors
> when accessing a site that I trust (ie, within the company).

When you add a certificate to the trust store (CAfile or CApath), it
will be a trust-anchor for verification if and only if:

  * It is a self-signed "root" CA.
  * It is an intermediate CA, you're running OpenSSL 1.0.2 or later,
    and you've set the "X509_V_FLAG_PARTIAL_CHAIN" flag (see below).
  * It exactly matches the peer's end-entity certificate, you're running
    OpenSSL 1.0.2 or later, and you've set the "X509_V_FLAG_PARTIAL_CHAIN"

> [root at srwilson-centos7 anchors]# openssl s_client -showcerts -connect
> site.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > site_git.pem

This writes the certificates sent on the wire by "site.com" to
"site_git.pem".  Quite often this does not include the issuing root
CA.  And it is of course unwise to write whatever you get on the
wire, uninspected, to your trust store.  I hope you're doing this
just to explain your issue.

> [root at srwilson-centos7 anchors]# openssl verify site_git.pem
> site_git.pem: C = US, O = foo, OU = bar, OU = baz, OU = Devices, CN =
> site.com
> error 20 at 0 depth lookup:unable to get local issuer certificate

As you expected, this chain's trust-anchor is not yet available.

> [root at srwilson-centos7 anchors]# update-ca-trust enable; update-ca-trust extract

Presumably at this point, c_rehash(1) or equivalent has been executed
and any certificates in that chain are in the trust store.

> [root at srwilson-centos7 anchors]# openssl s_client -CApath ./ -connect
> site.com:443 </dev/null 2>/dev/null | grep Verify
>     Verify return code: 21 (unable to verify the first certificate)

This is expected if the chain in question did not include the root
CA.  Make sure that the certificates in question did actually get
c_rehash(1) symlinks, and retest with:

    $ openssl s_client -partial_chain -CApath $PWD -connect site.com:443

The "-partial_chain" option turns on the "X509_V_FLAG_PARTIAL_CHAIN"
verification flag, which enables intermediate and leaf trust-anchors.


More information about the openssl-users mailing list