Erik Tkal <et...@juniper.net> writes:
> Hi Michael,
>
> Your "rootcacert" is not a root cert, as it was issued by "C=US,
> ST=UT, L=Salt Lake City, O=The USERTRUST Network,
> OU=http://www.usertrust.com, CN=UTN-USERFirst-Client Authentication
> and Email". You need to append that cert as well to your CAfile.
That seems to be a change in behaviour. 0.9.8o is happy:
brs% openssl version
OpenSSL 0.9.8o 01 Jun 2010
brs% openssl verify -verbose -CAfile rootcacert.pem subcacert.pem
subcacert.pem: OK
brs% openssl verify -issuer_checks -CAfile rootcacert.pem subcacert.pem
subcacert.pem: /C=DE/O=SCA Deutsche Post Com GmbH/CN=Signtrust CERT Class 3
CA 3:PN
error 29 at 0 depth lookup:subject issuer mismatch
/C=DE/O=SCA Deutsche Post Com GmbH/CN=Signtrust CERT Class 3 CA 3:PN
error 29 at 0 depth lookup:subject issuer mismatch
/C=DE/O=SCA Deutsche Post Com GmbH/CN=Signtrust CERT Class 3 CA 3:PN
error 29 at 0 depth lookup:subject issuer mismatch
/C=DE/O=SCA Deutsche Post Com GmbH/CN=Signtrust CERT Root CA 1:PN
error 29 at 0 depth lookup:subject issuer mismatch
OK
[...]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
