On Mon, 29 Nov 2010 20:05:43 +0200 "Dr. Stephen Henson" <[email protected]> wrote: >On Mon, Nov 29, 2010, [email protected] wrote: > >> Greetings, >> >> I guess this question must have been asked quite a lot over >here, >> but I couldn't find any traces of it >> so I guess I'll repeat it. >> >> I can't seem to be able to verify (using 'openssl verify') - >> without openssl spitting a >X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT - >> a server certificate that was signed with a custom-made CA even >> though I pass the CA certificate using the -CAfile switch. >> I've tried -purpose and also using -CApath instead of -CAfile >but >> to no avail. >> >> Is this a feature, a bug or am I just doing it wrong? >> > >Impossible to tell without seeing the actual certificate and the >precise >command line you use. > >Steve. >-- >Dr Stephen N. Henson. OpenSSL project core developer. >Commercial tech support now available see: http://www.openssl.org >___________________________________________________________________ >___ >OpenSSL Project >http://www.openssl.org >User Support Mailing List openssl- >[email protected] >Automated List Manager >[email protected]
Greetings! I'm doing nothing funky: $ openssl genrsa -des3 -out ca.key 4096 $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt $ openssl genrsa -des3 -out server.key 4096 $ openssl req -new -key server.key -out server.csr $ openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key - set_serial 01 -out server.crt Giving to every option (company name, etc.) the default value: So for example, my server.crt's issuer line is: Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd and my ca.crt's subject line is: Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd I'm trying to verify them with something like that: " $ openssl verify -CAfile ca.crt server.crt server.crt: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd error 18 at 0 depth lookup:self signed certificate OK " but like I said in my original post I've tried the -purpose -CApath etc. switches as well. Can you reproduce this? Thank you very much for the reply! ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
