I'm not seeing any response, so I'll assume this is either resolved or will take some time before I get a response, so I'll stall this ticket for now.
[levitte - Sun Oct 6 22:24:50 2002]: > [[EMAIL PROTECTED] - Sun Oct 6 21:38:18 2002]: > > > Richard Levitte via RT wrote: > > > OK, I just haven't seen further communication on this, so I've no > > > idea what conclusoins you came to. It's very possible that the > CA > > > certificate didn't match the issuer of the certificate you > wanted to > > > verify. Do you have the possibility to send me the certificates > you > > > were using in your test? > > > > here are the 'openssl x509' dumps, I hope that helps. > > Yup. So lt me see if I got this right, you're trying to verify > mail.zaplinski.de.pem using ca.pem, right? And both of those files > only contain one certificate, right (openssl x509 will only dump the > first certificate found in a .pem file, IIRC)? In that case, the > certificate in ca.pem is insufficient for verification, because it > in turn depends on another CA certificate. Observe the subject and > the issuer that you show us: > > > ---- ca.pem ---- > [...] > > Issuer: C=DE, ST=Hamburg, L=Hamburg, O=zaplinski.de, > > CN=zaplinski.de root [EMAIL PROTECTED] > > Subject: C=DE, ST=Hamburg, O=zaplinski.de, CN=zaplinski.de > > root > > [EMAIL PROTECTED] > > The issuer has the RDN L=Hamburg, the subject doesn't. The issuer > therefore must have another certificate. So, the chain that can be > built is mail.zaplinski.de.pem -> ca.pem -> ???, where '???' is an > unknown, and as far as I understand, unavailable certificate. > Therefore, 'openssl verify' is absolutely correct in saying 'unable > to get local issuer certificate'. > > Unless you have other facts contradicting my guesses, I'm going to > consider this case closed and the ticket resolved. -- Richard Levitte ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
