[openssl-users] Problem verifying a certificate chain

Viktor Dukhovni openssl-users at dukhovni.org
Thu Nov 30 18:54:01 UTC 2017



> On Nov 30, 2017, at 2:46 AM, Pascal Withopf <pwithopf at adiscon.com> wrote:
> 
> Here is serverCA.pem as a file and as text

These are, I expect, test certs and keys, so posting the keys too
is presumably not a problem...

In any case, the problem is that the CA certificate is a v1
certificate with no extensions.  It needs to be a v3 certificate
with basicConstraints CA:true, and keyUsage befitting a CA.

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            92:fb:86:47:d7:eb:1f:c3
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=XX, ST=XX, L=test, O=Testorganisation, CN=Root CA
        Validity
            Not Before: Nov 30 07:30:13 2017 GMT
            Not After : Dec 30 07:30:13 2017 GMT
        Subject: C=XX, ST=XX, L=test, O=Testorganisation, CN=Server CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:ba:f3:7b:2b:e3:e6:ed:e4:ec:90:01:99:05:59:
                    62:94:16:eb:f0:fd:07:8e:5d:13:38:85:04:72:48:
                    05:48:76:c2:0b:bb:63:79:c7:49:4b:d2:33:5d:75:
                    6f:f2:79:c7:55:db:23:4d:b6:4a:89:82:b6:ff:aa:
                    1d:d2:07:1b:4d:68:c8:f5:3d:87:b6:76:05:bd:4a:
                    0a:79:d8:27:e0:0d:a7:a7:7b:39:13:85:7b:d3:b0:
                    02:cb:0e:3d:27:d9:a6:8a:a0:65:7c:a8:3a:72:73:
                    a9:61:af:99:39:97:e5:f7:9c:8d:3d:4a:bd:ac:af:
                    4a:80:31:d7:46:c7:9a:3f:65
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
         aa:d0:92:67:17:00:fe:33:7f:b9:94:2c:63:6e:ce:cf:02:25:
         77:d9:df:1e:89:3f:6b:fd:02:54:73:04:36:54:c1:5a:a5:35:
         27:4b:9d:55:55:f1:9f:d4:72:10:9a:e0:3d:42:e2:8a:af:80:
         aa:00:92:16:3d:16:49:9a:df:94:13:63:df:50:99:50:87:1e:
         a0:52:5e:ec:8b:23:4c:28:e8:f8:f3:fc:10:fc:8d:72:1d:3f:
         40:ac:89:42:18:d5:80:03:df:ad:24:ff:74:c3:4e:e0:de:ac:
         01:7a:df:b0:62:67:1b:85:84:bd:c4:d4:89:79:41:21:46:d6:
         59:06


-- 
	Viktor.



More information about the openssl-users mailing list