[openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath

Viktor Dukhovni openssl-users at dukhovni.org
Sat Dec 1 20:46:46 UTC 2018

On Sat, Dec 01, 2018 at 12:29:42PM -0800, Charles Mills wrote:

> I could easily be wrong -- you guys know more about certificates than I ever
> will -- but I do not *think* there is any self-signed certificate in this
> scenario. There should be exactly two certificates in this discussion:
> 1. The client certificate. It is not self-signed (in the correct sense of
> the term, as opposed to the erroneous popular sense): it is signed by my
> "in-house" CA.
> 2. The CA certificate. Yes, it is a root and self-signed, but you didn't
> find it, right?

You seem to be stuck on a narrow meaning of the word "found".  The
self-signed certificate *was* found, but not in the trust-store.

It was found in the chain of certificates sent by the client to the
server for validation.  That's what the error message is telling
you, the chain building algorithm found a self-signed certificate
in the peer's chain, without finding a suitable trust-anchor in the
trust-store.  So validation cannot proceed further and fails.

> (Because of my error in not running the hash utility.)
> If you found it what is the problem? ...

Everything from here down is based on an incorrect reading of the
word "found".

> Am I missing something?

Yes: "found" != "found in the trust store"

Think "encountered" rather than "found" if that's more clear.


More information about the openssl-users mailing list