[openssl-users] Question about X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN for a cert chain including the root cert
ted at convey.de
Mon Aug 21 10:58:36 UTC 2017
I have a question about certificate chain checkin when the chain
includes a root certificate.
The server I want to connect to with openssl s_client (Version 0.9.8zc)
sends this certificate chain:
0 s:Server's cert
1 s:Intermediate cert
i:Root 1 cert
2 s:Root 1 cert
i: Root 2 cert
3 s:Root 2 cert
i:Root 2 cert
If my CA file includes the self signed Root 1 cert, but not the "Root 2
cert" I get "Verify return code: 19 (self signed certificate in
If I add the Root 2 cert to the CA file everything is fine.
If I try openssl verify on the Server's cert with a CA file including
Intermediate cert and self-signed Root 1 cert, but not Root 2 cert,
verify reports OK.
My view was that the Root 1 cert in the CA file should verify the chain.
Obviously it does not, but why?
Are two certificates with the same subject but different issuer
considered different? Or is this an issue with my ancient openssl version?
PGP Public Key Information
Key ID = 7AFB8D26
Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
More information about the openssl-users