That did it, works now. I should have noticed that. Thanks a lot! -Anthony
"Dr. Stephen Henson" wrote: > On Wed, Nov 26, 2003, Anthony Neal wrote: > > > Hello, > > > > Recently our requirements have changed from using an in-house > > experimental CA to using a single self-signed certificate. I have used > > the command: > > > > openssl req -config config.cnf -x509 -newkey rsa -out servercert.pem > > -outform PEM -keyout serverkey.pem -nodes > > > > to generate said certificate. My config file contains: > > > > [ req ] > > default_bits = 1024 > > default_md = md5 > > x509_extensions = root_ca_extensions > > > > [ root_ca_extensions ] > > basicConstraints = CA:true > > subjectKeyIdentifier = hash > > authorityKeyIdentifier = keyid:always,issuer:always > > keyUsage = nonRepudiation, digitalSignature, keyEncipherment > > > > > > When I attempt to test this using openssl s_server and s_client, I note > > the following: > > > > % openssl s_client -showcerts -CAfile servercert.pem > > CONNECTED(00000003) > > depth=0 /C=US/ST=Alabama/L=Huntsville/O=Mutable Realms Incorporated/... > > verify error:num=20:unable to get local issuer certificate > > verify return:1 > > depth=0 /C=US/ST=Alabama/L=Huntsville/O=Mutable Realms Incorporated/... > > verify error:num=21:unable to verify the first certificate > > verify return:1 > > > > > > Of course, s_client connects and is fine, but that is because it is > > ignoring this error - my application is not. > > > > Can someone please point out what I'm doing wrong here? Shouldn't > > providing the server's self-signed certificate in the CAfile suffice for > > establishing trust? > > > > If you want to use the keyUsage extension then try including keyCertSign as > well. > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > OpenSSL project core developer and freelance consultant. > Funding needed! Details on homepage. > Homepage: http://www.drh-consultancy.demon.co.uk > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
