Dear group,
I have a server certificate signed by a local CA company and the root certificate that signed it expires very soon. The CA company gave us a new root certificate but with the new root certificate OpenSSL is no longer able to successfully verify the server certificate.
The working chain is: trust.pem --- a-sign.pem --- server.pem
The no longer working chain is: trust_new.pem --- a-sign.pem --- server.pem
OpenSSL successfully verifies server.pem when using trust.pem and a-sign.pem in the CAfile but it fails to verify server.pem with trust_new.pem instead of trust.pem in the CAfile:
server.pem: /C=AT/O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH/OU=a-sign-corporate-light-01/CN=a-sign-corporate-light-01
error 2 at 1 depth lookup:unable to get issuer certificate
Verifying a-sign.pem when using trust.pem gives OK but when using trust_new.pem instead it gives:
a-sign.pem: /C=AT/O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH/OU=a-sign-corporate-light-01/CN=a-sign-corporate-light-01
error 20 at 0 depth lookup:unable to get local issuer certificate
It looks like OpenSSL does not recognize trust_new.pem as the signer of a-sign.pem but the question is why? Trust_new.pem looks - at least for me - pretty like trust.pem except the changed validity dates and the signature.
Does anyone know what's wrong with the cerificates and how to make OpenSSL again successfully validate the certificate chain? (the certificates follow below:)
TIA Manfred
server.pem:
-----BEGIN CERTIFICATE----- MIIEUzCCAzugAwIBAgICYrYwDQYJKoZIhvcNAQEFBQAwgZ8xCzAJBgNVBAYTAkFU MUgwRgYDVQQKEz9BLVRydXN0IEdlcy4gZi4gU2ljaGVyaGVpdHNzeXN0ZW1lIGlt IGVsZWt0ci4gRGF0ZW52ZXJrZWhyIEdtYkgxIjAgBgNVBAsTGWEtc2lnbi1jb3Jw b3JhdGUtbGlnaHQtMDExIjAgBgNVBAMTGWEtc2lnbi1jb3Jwb3JhdGUtbGlnaHQt MDEwHhcNMDQwMzEyMTAwMjEyWhcNMDcwMzEyMTAwMjEyWjAoMQswCQYDVQQGEwJB VDEZMBcGA1UEAxMQRUFOLUF1c3RyaWEgR21iSDCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEAv1wi56jn7AxZOIFrXhhwPtZmNtSr8jHWoHsWGHMEc/6o8fZvcLP4 sW+5EuKSo9MCI1I844Rg37NO1wKIlYB9CRZITcpmJQehVVkgBFHUgns+FjzQX40O b7/iaPHg88O+S2eYENGWMZappU7hplzXp5TmgnkoI2HaAUNTc3EK8IsCAwEAAaOC AZEwggGNMAkGA1UdEwQCMAAwEQYDVR0OBAoECEO2QTigw2dIMFgGA1UdIARRME8w TQYHKigAEQEHATBCMEAGCCsGAQUFBwIBFjRodHRwOi8vd3d3LmEtdHJ1c3QuYXQv ZG9jcy9jcC9hLXNpZ24tY29ycG9yYXRlLWxpZ2h0MBMGA1UdIwQMMAqACE6ef9Qv yR8fMH4GCCsGAQUFBwEBBHIwcDBGBggrBgEFBQcwAoY6aHR0cDovL3d3dy5hLXRy dXN0LmF0L2NlcnRzL2Etc2lnbi1jb3Jwb3JhdGUtbGlnaHQtMDFhLmNydDAmBggr BgEFBQcwAYYaaHR0cDovL3d3dy5hLXRydXN0LmF0L29jc3AwDgYDVR0PAQH/BAQD AgSwMG4GA1UdHwRnMGUwY6BhoF+GXWxkYXA6Ly9sZGFwLmEtdHJ1c3QuYXQvb3U9 YS1zaWduLWNvcnBvcmF0ZS1saWdodC0wMSxvPUEtVHJ1c3QsYz1BVD9jZXJ0aWZp Y2F0ZXJldm9jYXRpb25saXN0PzANBgkqhkiG9w0BAQUFAAOCAQEAiIewXMpSy0az 0WVQiB1SgR03/Uc9yZL5npBkSBPA8YbSTgiN9ppzITr2jNz0GprC2EB0OojRSjp0 Q8o0aS5llzoN1rTUpSH5ya9MEeqonFrXWuJWpiGFCVbLSye0EWjZPL6CPNXx/ROy 6LfEGJLXtLZJK+DQtLI96A9yP4SimTLM1ms34YOhIvnU8BrtpJsDP2yOJ1NGYpQo gzYsTW6zTIrMnUtvztTdLcLQSCGrJtU0T2JEa+xvU1G0bMIBACEVItpeA8f/27tc dbJaR5ZvzVa3j5QrRkrBdKiYmOoBGW1y467+LhPeb7CDz/taN3QvWqsVB7VeBP3b 5SZ70DcbJw== -----END CERTIFICATE-----
a-sign.pem:
-----BEGIN CERTIFICATE----- MIIEJTCCAw2gAwIBAgICE5AwDQYJKoZIhvcNAQEFBQAwVTELMAkGA1UEBhMCQVQx EDAOBgNVBAoTB0EtVHJ1c3QxGTAXBgNVBAsTEEEtVHJ1c3QtblF1YWwtMDExGTAX BgNVBAMTEEEtVHJ1c3QtblF1YWwtMDEwHhcNMDIxMTIwMTEwMDAwWhcNMDUxMTIw MTEwMDAwWjCBnzELMAkGA1UEBhMCQVQxSDBGBgNVBAoTP0EtVHJ1c3QgR2VzLiBm LiBTaWNoZXJoZWl0c3N5c3RlbWUgaW0gZWxla3RyLiBEYXRlbnZlcmtlaHIgR21i SDEiMCAGA1UECxMZYS1zaWduLWNvcnBvcmF0ZS1saWdodC0wMTEiMCAGA1UEAxMZ YS1zaWduLWNvcnBvcmF0ZS1saWdodC0wMTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAMYLrm/yueLrcOiMQGuLKc/BGo0KnXj9KQ3lE6RNQY28tJpt9IlX g8oYtPNqw8BoKHBfSD+R5tqEUzdHucjJ5XHZgHxVG8Lgj+yk/+YKzn7ql/U37oqK rg1yzCA0EF+oC15pAjKUEzLocOSOhdhf9z5LGPKuoCR5kIr5Icw6tpcI7U9kdZtj CV4pd/hHZnprIR8nZdZ5W6qqifvpYen884jREAMFyEDpWbVE7NIAfPf1trLVNm6d BdKzdVD1wTe5A+M37zR5+Z/RmA0XSxewNOyyhmDZ95MA1I6RMYzVswLnF7WFYUvw xk17jJn41KAU3Z+h9vwE+/JABbSejY80Do8CAwEAAaOBszCBsDAPBgNVHRMBAf8E BTADAQH/MBEGA1UdDgQKBAhOnn/UL8kfHzATBgNVHSMEDDAKgAhOWc7HAjKHMDAO BgNVHQ8BAf8EBAMCAQYwZQYDVR0fBF4wXDBaoFigVoZUbGRhcDovL2xkYXAuYS10 cnVzdC5hdC9vdT1BLVRydXN0LW5RdWFsLTAxLG89QS1UcnVzdCxjPUFUP2NlcnRp ZmljYXRlcmV2b2NhdGlvbmxpc3Q/MA0GCSqGSIb3DQEBBQUAA4IBAQCTwLJH3d/r J/049JM0Tg2pm2Aax3U+SBJiUpq2SjvxW78f3w2NgnbdvZ/CnIEeF0/PbE0bT0hL phGA1PDeYiSY7O8AR9HnLNU6YsMMl3SxHEi3vzMfRck63/bx/Y9AcezpVM+c7syL 0dWiC7qCqZHZ9s8Gj9u5A9I97slkKMjEmRI7v7ENqgreOHpINbfj2ItJ0ixuOUk5 wGdWCKWEoDn8cDu5Q/1e4bg74DmIEU2r1pS6YGUxTtejXlGoAJIVF1mZSvEfGpRT xhBpIIF306kuFYLXHBaJ1hieZVoq4U1El2HbwPCpx8btVBH9/CUWfsNQ4/94+3UU iqKrjYsLSbLd -----END CERTIFICATE-----
<>trust.pem:
-----BEGIN CERTIFICATE----- MIIDXDCCAkSgAwIBAgICAhMwDQYJKoZIhvcNAQEFBQAwVTELMAkGA1UEBhMCQVQx EDAOBgNVBAoTB0EtVHJ1c3QxGTAXBgNVBAsTEEEtVHJ1c3QtblF1YWwtMDExGTAX BgNVBAMTEEEtVHJ1c3QtblF1YWwtMDEwHhcNMDExMjEyMDkwMDAwWhcNMDQxMjEy MDkwMDAwWjBVMQswCQYDVQQGEwJBVDEQMA4GA1UEChMHQS1UcnVzdDEZMBcGA1UE CxMQQS1UcnVzdC1uUXVhbC0wMTEZMBcGA1UEAxMQQS1UcnVzdC1uUXVhbC0wMTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAP/1HIARnp4eaFjM0nfbx/SO Z1JQWLoSpGo7FveMc09MikrzYJHrPmWZKdlA1S4I8P6G1s1l993YMpUHTo07JnXb Nw4wKCPga2RmioTTM+k9PdumgTnmeRll7+pYRf/rjDP8v/gR2S8oNIob9Sw/vky2 YJVjmbYSDvdFUVHPhxwEgykd6XiXMSpKR0O1k5jl+eSsTffeHHrufGrbW9jwTJ/w 7h89DlG03x6iFAJw9DXPrKlTVHs32M9Gmcj7LMw6LB3f5BwqEeLWaILOjSmQ5oHU LCZ+xPI2XypTQ0lQv1Nrpx5rtZOHBOJaiXbIPzxx3ZzLfzzGls2R+sI+Zk0YuhUC AwEAAaM2MDQwDwYDVR0TAQH/BAUwAwEB/zARBgNVHQ4ECgQITlnOxwIyhzAwDgYD VR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQAea2IHjhycSODxu6P9x2f6 BJfmHWwdN5o0BVhMGoEZXkSAmW2i5Ik6UMTO3cIcT4CFWp4kdy3bt4ilJPBKtVU7 FXqIFTvLML/D+GfYxNgAwUMlF67DIm4VMhgxm/S6/mSqOedpV1AIiLy4OvWC1izV umRrfF7dOIqvs+6nf/NAeYNvW+wIImAYW4r2Wuzur2zyJSlXcYKau/FNZCN1j1nd 30bye8dQNMKOZ07TMiLtA1WXr4Bua6vWzRgp3KhHI09zgg4pPLRmQoQz2GcNaEk4 mOffiOakLKAH3h7MMS5nmseZDx1LXkIXvWnvM8LzLgG/Z05xfrTkmu/04HJUVP6N -----END CERTIFICATE-----
trust_new.pem:
-----BEGIN CERTIFICATE----- MIIDXTCCAkWgAwIBAgIDANa1MA0GCSqGSIb3DQEBBQUAMFUxCzAJBgNVBAYTAkFU MRAwDgYDVQQKDAdBLVRydXN0MRkwFwYDVQQLDBBBLVRydXN0LW5RdWFsLTAxMRkw FwYDVQQDDBBBLVRydXN0LW5RdWFsLTAxMB4XDTA0MTEwODIzMDAwMFoXDTA4MDYy OTIyMDAwMFowVTELMAkGA1UEBhMCQVQxEDAOBgNVBAoMB0EtVHJ1c3QxGTAXBgNV BAsMEEEtVHJ1c3QtblF1YWwtMDExGTAXBgNVBAMMEEEtVHJ1c3QtblF1YWwtMDEw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD/9RyAEZ6eHmhYzNJ328f0 jmdSUFi6EqRqOxb3jHNPTIpK82CR6z5lmSnZQNUuCPD+htbNZffd2DKVB06NOyZ1 2zcOMCgj4GtkZoqE0zPpPT3bpoE55nkZZe/qWEX/64wz/L/4EdkvKDSKG/UsP75M tmCVY5m2Eg73RVFRz4ccBIMpHel4lzEqSkdDtZOY5fnkrE333hx67nxq21vY8Eyf 8O4fPQ5RtN8eohQCcPQ1z6ypU1R7N9jPRpnI+yzMOiwd3+QcKhHi1miCzo0pkOaB 1CwmfsTyNl8qU0NJUL9Ta6cea7WThwTiWol2yD88cd2cy388xpbNkfrCPmZNGLoV AgMBAAGjNjA0MA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0OBAoECE5ZzscCMocwMA4G A1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAYEeSxueYaqPATA8BMN0q 24KdhugKbie9RGbjQpDo/8ChiIsOP0jXlenTsCJjgfT52NIA6/ZP6ZbQo24TH2qX Bjv8vla9pjQHlIVW/iSu0olJio3LTvhFKbt8oV5Amu4L90EK7j6/owtTMt2PcpOb HtA0nFT7C1KBS80OgrmWxEF35EG72XYswyhGcq2mavWIbHeX5ceIDmQ4J+QIb7Gy FrETSxDR45PqOiSXL19NaeUquxK4H4O0xxLM8PTN9QageA++3nJLYwwa1oa3e0fH Hl0fAj2uGfz7/o3KIuPsPTGEV0/uAZXutj7v95xuIdoAuO/zaxJTMjN1+/8tISQg jw== -----END CERTIFICATE-----
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
