[openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath

Charles Mills charlesm at mcn.org
Fri Nov 30 17:47:24 UTC 2018

(Apologies if a duplicate - I think I mis-sent the first attempt.)


I wrote a TLS server application that runs under Windows and has been
working successfully for years. I am currently using OpenSSL 1.1.0f. When I
wrote the code I only supported a single CA file for client certificates. I
pass the file name in through SSL_CTX_load_verify_locations CAfile and with
CApath NULL. Recently I was asked to add support for multiple CA files. I
updated my parameter handling to support a CA path, and I can now pass the
path instead using SSL_CTX_load_verify_locations CApath.


I am using a client certificate that was signed by my "homegrown" CA (which
uses the OpenSSL utility). When I point to the CA .PEM with
SSL_CTX_load_verify_locations CAfile it works perfectly. When instead I use
CApath to point to a folder that contains only that one .PEM file it fails.
My verify callback is driven with


-Error with certificate at depth: 1

err 19:self signed certificate in certificate chain

error:1417C086:SSL routines:tls_process_client_certificate:certificate
verify failed:ssl\statem\statem_srvr.c:2893:


Yes, the CA certificate is a root certificate and is self-signed. But it
works as a CAfile. Can someone give me some guidance here?


FWIW I specify SSL_CTX_set_verify(sslContext, SSL_VERIFY_PEER,






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181130/e9e8d911/attachment.html>

More information about the openssl-users mailing list