[openssl-users] Question about X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN for a cert chain including the root cert

Bernhard Fröhlich ted at convey.de
Mon Aug 21 10:58:36 UTC 2017

Hi there,

I have a question about certificate chain checkin when the chain 
includes a root certificate.

The server I want to connect to with openssl s_client (Version 0.9.8zc) 
sends this certificate chain:

0 s:Server's cert
  i:Intermediate cert
1 s:Intermediate cert
  i:Root 1 cert
2 s:Root 1 cert
  i: Root 2 cert
3 s:Root 2 cert
  i:Root 2 cert

If my CA file includes the self signed Root 1 cert, but not the "Root 2 
cert" I get "Verify return code: 19 (self signed certificate in 
certificate chain)"
If I add the Root 2 cert to the CA file everything is fine.
If I try openssl verify on the Server's cert with a CA file including 
Intermediate cert and self-signed Root 1 cert, but not Root 2 cert, 
verify reports OK.

My view was that the Root 1 cert in the CA file should verify the chain. 
Obviously it does not, but why?
Are two certificates with the same subject but different issuer 
considered different? Or is this an issue with my ancient openssl version?

Kind regards

PGP Public Key Information
Key ID = 7AFB8D26
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26

More information about the openssl-users mailing list