[openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath

[Charles Mills]

> It was found in the chain of certificates sent by the client to the
> server for validation

Again, I could be wrong but that is my point. I do not think the client is
sending a chain of certificates, but rather only one, the CA-signed client
certificate. (I wrote and configured the client, and generated the
certificate, and loaded it into the certificate store.)

Charles

-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of
Viktor Dukhovni
Sent: Saturday, December 1, 2018 12:47 PM
To: openssl-users at openssl.org
Subject: Re: [openssl-users] Self-signed error when using
SSL_CTX_load_verify_locations CApath

On Sat, Dec 01, 2018 at 12:29:42PM -0800, Charles Mills wrote:

> I could easily be wrong -- you guys know more about certificates than I
ever
> will -- but I do not *think* there is any self-signed certificate in this
> scenario. There should be exactly two certificates in this discussion:
> 
> 1. The client certificate. It is not self-signed (in the correct sense of
> the term, as opposed to the erroneous popular sense): it is signed by my
> "in-house" CA.
> 
> 2. The CA certificate. Yes, it is a root and self-signed, but you didn't
> find it, right?

You seem to be stuck on a narrow meaning of the word "found".  The
self-signed certificate *was* found, but not in the trust-store.

It was found in the chain of certificates sent by the client to the
server for validation.  That's what the error message is telling