On Wed, Nov 26, 2003, Anthony Neal wrote: > Hello, > > Recently our requirements have changed from using an in-house > experimental CA to using a single self-signed certificate. I have used > the command: > > openssl req -config config.cnf -x509 -newkey rsa -out servercert.pem > -outform PEM -keyout serverkey.pem -nodes > > to generate said certificate. My config file contains: > > [ req ] > default_bits = 1024 > default_md = md5 > x509_extensions = root_ca_extensions > > [ root_ca_extensions ] > basicConstraints = CA:true > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid:always,issuer:always > keyUsage = nonRepudiation, digitalSignature, keyEncipherment > > > When I attempt to test this using openssl s_server and s_client, I note > the following: > > % openssl s_client -showcerts -CAfile servercert.pem > CONNECTED(00000003) > depth=0 /C=US/ST=Alabama/L=Huntsville/O=Mutable Realms Incorporated/... > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 /C=US/ST=Alabama/L=Huntsville/O=Mutable Realms Incorporated/... > verify error:num=21:unable to verify the first certificate > verify return:1 > > > Of course, s_client connects and is fine, but that is because it is > ignoring this error - my application is not. > > Can someone please point out what I'm doing wrong here? Shouldn't > providing the server's self-signed certificate in the CAfile suffice for > establishing trust? >
If you want to use the keyUsage extension then try including keyCertSign as well. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
