... and using -verbose option, the step (3) verify would produce:
% openssl verify -verbose -CAfile ca.crt -untrusted ca2.crt user.crt
error 18 at 0 depth lookup:self signed certificate
error 7 at 0 depth lookup:certificate signature failure
21970:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type
is not 01:rsa_pk1.c:100:
21970:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check
failed:rsa_eay.c:396:
21970:error:0D079006:asn1 encoding routines:ASN1_verify:bad get asn1 object
call:a_verify.c:109:
Thanks!
Jeff
Jeff Smith wrote:
>
> Hi everyone,
>
> I created a chain of 3 certificates as follows:
>
> (1) a self-signed root ca cert, using
>
> openssl genrsa -des3 -out ca.key
> openssl req -new -key ca.key -out ca.csr
> openssl x509 -req -signkey ca.key -out ca.crt -in ca.csr
>
> (2) a second ca cert, signed by the first ca, using
>
> openssl genrsa -des3 -out ca2.key
> openssl req -new -key ca2.key -out ca2.csr
> openssl ca -cert ca.key -keyfile ca.key -out ca2.crt -infiles ca2.csr
>
> (3) a user cert using
>
> openssl genrsa -des3 -out user.key
> openssl req -new -key user.key -out user.csr
> openssl ca -cert ca2.crt -keyfile ca2.key -out user.crt -infiles user.csr
>
> But when I try to verify user.crt using
>
> openssl verify -CAfile ca.crt -untrusted ca2.crt user.crt
>
> it fails with
>
> error 18 at 0 depth lookup:self signed certificate
> and
> error 7 at 0 depth lookup:certificate signature failure
>
> I have looked through faqs and related pages, could not figure out why.
> Could someone tell me the reasons?
>
> Thank you in advance.
>
> jeff
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
