> From: owner-openssl-us...@openssl.org On Behalf Of Sandro Tosi > Sent: Monday, 09 July, 2012 10:15
> /usr/bin/openssl ts -verify -sha256 -untrusted <CERT> -CAfile > <CA> -data <FILE TO MARK> -in <TSA REPLY> > > and the output we get is: > > 140119872083624:error:2F06D064:time stamp > routines:TS_VERIFY_CERT:certificate verify > error:ts_rsp_verify.c:246:Verify error:self signed certificate in > certificate chain > > We're using a Debian system, so we copied the CA into /etc/ssl/certs/ > but we still see that problem: how can we fix it? is there a > way to get > a more descripting trace of the problem? Can we run manually all the > steps to verify the reply? > Your problem is not verifying the message itself, but verifying the certificate that assures it. If you use -CAfile, you must put or have the CA root in that file *in addition to* all other roots needed by other apps using the same file, which for a default location like (IIUC) /etc/ssl/cert.pem may be many other apps. If you want a directory of individual root files, like /etc/ssl/certs/*, use -CApath, add your CA root file in that directory, and add a hash link to it: automatically by running INSTALLDIR/bin/c_rehash or manually by: ln -s $file `openssl x509 -hash -noout -in $file`.0 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
