How to rotate cert when only first matching cert been verified

Michael Wojcik Michael.Wojcik at microfocus.com
Mon Dec 21 15:37:02 UTC 2020


> From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of ???
> Sent: Saturday, 19 December, 2020 17:59

> 1. Generate a new cert, and append it to the cert file

Why are you appending it to the file containing the existing certificate?

> (at this point, there are 2 certs in the file, first is old cert, second is
> new, they have the same Subject), restart client side process, (no problem
> here, because first cert matching server side cert, and it verifies
> successfully)

> 2. Replace server side with new cert.

It sounds like you're updating the server's entity certificate.

> As soon as I issue step #2, the client side process starts to show error
> “certificate verify failed”.

There are many possible reasons for verification to fail.

> https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_load_verify_locations.html,
> it says the exact behavior like my test:

Similar symptoms, perhaps. But this page discusses "CA certificates" - that is,
intermediate and root certificates that have been configured to be trust anchors
or contributors to the trust chain. It has nothing to do with entity certificates,
which is what you're changing here.

You haven't given us enough information to guess why the new certificate is
failing client verification. You need to get detailed failure information from
the client program, or use a different client that gives you detailed information,
or use a utility such as "openssl verify" to test the certificate chain locally.

--
Michael Wojcik


More information about the openssl-users mailing list