I thought that at first, but I made similar certs with critical Key Usage parameters using openssl and openssl liked them.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goetz Babin-Ebell Sent: Friday, August 27, 2004 12:18 PM To: [EMAIL PROTECTED] Subject: Re: Problem with some self-signed certs Hello Jim, Jim Adams wrote: > I am experiencing a problem with self-signed server certificates > generated by z/OS's pskkyman program in my openssl-enabled telnet > client. Usually, a self- signed certificate will generate an error of > "self-signed certificate" in my certificate verify callback routine. > If I add the certificate to openssl's root store, further verifys are > OK. The z/OS certificates, which are self-signed, generate 2 errors: > "unable to get local issuer certificate" and "unable to verify the > first certificate". I have previously only seen these errors on > CA-signed certs. Can anybody tell me how a self-signed cert can > generate these errors instead of the "self-signed certificate" error? I have attached the certificate in question. Any help would be appreciated. My guess is: Since the Key usage states that ths certificate may not be used to sign certificates: [...] X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment [...] OpenSSL will not accept it as a CA certificate... Bye Goetz -- Goetz Babin-Ebell, software designer, TC TrustCenter AG, Sonninstr. 24-28, 20097 Hamburg, Germany Office: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126 www.trustcenter.de www.betrusted.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
