[openssl-users] Problem verifying a certificate chain

Pascal Withopf pwithopf at adiscon.com
Wed Nov 29 15:33:39 UTC 2017


I'm reading the book "Network Security with OpenSSL" published by O'Reilly
at the moment.
I'm following the example program and trying to establish a connection
between a server and a client.
I did the following to create my certificates:

To create the root CA:
$ openssl req -newkey rsa:1024 -sha1 -nodes -keyout rootkey.pem -out
$ openssl x509 -req -in rootreq.pem -sha1 -extensions v3_ca -signkey
rootkey.pem -out rootcert.pem
$ cat rootcert.pem rootkey.pem > root.pem

To create the server CA and sign it with the root CA:
$ openssl req -newkey rsa:1024 -sha1 -nodes -keyout serverCAkey.pem -out
$ openssl x509 -req -in serverCAreq.pem -sha1 -extensions v3_ca -CA
root.pem -CAkey root.pem -CAcreateserial -out serverCAcert.pem
$ cat serverCAcert.pem serverCAkey.pem rootcert.pem > serverCA.pem

To create the server's certificate and sign it with the Server CA:
$ openssl req -newkey rsa:1024 -sha1 -nodes -keyout serverkey.pem -out
$ openssl x509 -req -in serverreq.pem -sha1 -extensions usr_cert -CA
serverCA.pem -CAkey serverCA.pem -CAcreateserial -out servercert.pem
$ cat servercert.pem serverkey.pem serverCAcert.pem rootcert.pem >

Which means I have the following certificate chain:
root.pem -> serverCA.pem -> server.pem

But when I try to make a connection I see following error at the client
Error with certificate at depth: 1
issuer  = /C=XX/ST=XX/L=test/O=Testorganisation/CN=Root CA
subject = /C=XX/ST=XX/L=test/O=Testorganisation/CN=Server CA
err 24:invalid CA certificate

I get the same error with this command:
$ openssl verify -CAfile root.pem -untrusted serverCA.pem server.pem
server.pem: C = XX, ST = XX, L = test, O = Testorganisation, CN = Server CA
error 24 at 1 depth lookup:invalid CA certificate

When I sign my server certificate directly with the root CA and leave the
server CA out everything works fine.

Did I do something wrong creating the certificates? Or where could the
problem be?

Best Regards
Pascal Withopf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171129/42931e0c/attachment.html>

More information about the openssl-users mailing list