[openssl-users] Self signed cert issues
openssl-users at dukhovni.org
Mon Sep 19 14:25:14 UTC 2016
On Mon, Sep 19, 2016 at 06:55:37AM -0400, shawn wilson wrote:
> End goal - I don't want the machine (curl, wget, git, etc) to throw errors
> when accessing a site that I trust (ie, within the company).
When you add a certificate to the trust store (CAfile or CApath), it
will be a trust-anchor for verification if and only if:
* It is a self-signed "root" CA.
* It is an intermediate CA, you're running OpenSSL 1.0.2 or later,
and you've set the "X509_V_FLAG_PARTIAL_CHAIN" flag (see below).
* It exactly matches the peer's end-entity certificate, you're running
OpenSSL 1.0.2 or later, and you've set the "X509_V_FLAG_PARTIAL_CHAIN"
> [root at srwilson-centos7 anchors]# openssl s_client -showcerts -connect
> site.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > site_git.pem
This writes the certificates sent on the wire by "site.com" to
"site_git.pem". Quite often this does not include the issuing root
CA. And it is of course unwise to write whatever you get on the
wire, uninspected, to your trust store. I hope you're doing this
just to explain your issue.
> [root at srwilson-centos7 anchors]# openssl verify site_git.pem
> site_git.pem: C = US, O = foo, OU = bar, OU = baz, OU = Devices, CN =
> error 20 at 0 depth lookup:unable to get local issuer certificate
As you expected, this chain's trust-anchor is not yet available.
> [root at srwilson-centos7 anchors]# update-ca-trust enable; update-ca-trust extract
Presumably at this point, c_rehash(1) or equivalent has been executed
and any certificates in that chain are in the trust store.
> [root at srwilson-centos7 anchors]# openssl s_client -CApath ./ -connect
> site.com:443 </dev/null 2>/dev/null | grep Verify
> Verify return code: 21 (unable to verify the first certificate)
This is expected if the chain in question did not include the root
CA. Make sure that the certificates in question did actually get
c_rehash(1) symlinks, and retest with:
$ openssl s_client -partial_chain -CApath $PWD -connect site.com:443
The "-partial_chain" option turns on the "X509_V_FLAG_PARTIAL_CHAIN"
verification flag, which enables intermediate and leaf trust-anchors.
More information about the openssl-users