On Wed, Nov 03, 2010, Bruce Stephens wrote: > Erik Tkal <et...@juniper.net> writes: > > > Hi Michael, > > > > Your "rootcacert" is not a root cert, as it was issued by "C=US, > > ST=UT, L=Salt Lake City, O=The USERTRUST Network, > > OU=http://www.usertrust.com, CN=UTN-USERFirst-Client Authentication > > and Email". You need to append that cert as well to your CAfile. > > That seems to be a change in behaviour. 0.9.8o is happy: > > brs% openssl version > OpenSSL 0.9.8o 01 Jun 2010 > > brs% openssl verify -verbose -CAfile rootcacert.pem subcacert.pem > subcacert.pem: OK > > brs% openssl verify -issuer_checks -CAfile rootcacert.pem subcacert.pem > subcacert.pem: /C=DE/O=SCA Deutsche Post Com GmbH/CN=Signtrust CERT Class > 3 CA 3:PN > error 29 at 0 depth lookup:subject issuer mismatch > /C=DE/O=SCA Deutsche Post Com GmbH/CN=Signtrust CERT Class 3 CA 3:PN > error 29 at 0 depth lookup:subject issuer mismatch > /C=DE/O=SCA Deutsche Post Com GmbH/CN=Signtrust CERT Class 3 CA 3:PN > error 29 at 0 depth lookup:subject issuer mismatch > /C=DE/O=SCA Deutsche Post Com GmbH/CN=Signtrust CERT Root CA 1:PN > error 29 at 0 depth lookup:subject issuer mismatch > OK >
Is that unmodified OpenSSL 0.9.8o? If so that's peculiar I get the expected error here. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
