Hello Prathima: On March 24, 2009 10:40:47 am prathima wrote: > Hi Kyle, > > CA certificate chain is parsed properly. I also tried using only > RootCA(excluding intermediate CA's). Even with this I am getting the same > error. > Could you please explain this: > client.crt also needs to have extendedKeyUsage of > "clientAuthentication" and keyUsage of "encipherment" and "key > negotiation" > A couple of things to take a look at:
1: Do all of the CA Certificates have the extension "Basic Constraints: CA:True"? 2: Do the Issuer/Subject fields of the CA certificates chain correctly? 3: Do the AKI/SKI fields of the CA certificates chain correctly? What happens when you do: openssl verify -CAFile cachain.crt -verbose client-cert.pem? Can you post the cachain.crt file? Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
