> From: owner-openssl-us...@openssl.org On Behalf Of Erwann Abalea > Sent: Monday, 06 August, 2012 08:06
> The given certificate is correctly self-signed, you can > manually check > it by extracting the signature block and playing with "openssl rsautl > ...", "dd ... | openssl dgst -sha1", etc. > > It fails the validation path check probably because it's not > declared as > a CA. There's some ongoing work on IETF about DANE certificates and > clarifications on RFC5280 about self-signed EE certificates. The > presented certificate is certainly such a DANE one. > Specifically, as I responded Friday to a post from Harald Latzko "RE: TLS server/client with self-signed certificate" : OpenSSL won't verify a self-signed cert *or* a "real" CA cert if it has KeyUsage that excludes certSign, as this one does. It's not clear to me whether a self-signed cert used only for an entity, not to issue other certs, *should* have BC.CA:true, but current OpenSSL definitely doesn't require it. (I've tested BC.CA:false KU:includes.certSign and OpenSSL works.) > Le 06/08/2012 13:04, Johannes Bauer a écrit : > > -----BEGIN CERTIFICATE----- > > MIIC8TCCAdmgAwIBAgIQNmL4pIUXFpRBUK7QhJR/JjANBgkqhkiG9w0BAQUFADAg > > MR4wHAYDVQQDExVXTVN2Yy1XSU4tRUVCSExDODFHSjgwHhcNMTAxMjIzMjAzOTU0 > > WhcNMjAxMjIwMjAzOTU0WjAgMR4wHAYDVQQDExVXTVN2Yy1XSU4tRUVCSExDODFH > > SjgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD6CNzdS+lWquEQndmY > > R1XY6cEqeMSB6YVSxXFAARRsdLQceCIpZbD5CijYklx874gOokTwSzZ7EJ6QSPUL > > jItM5PRlkeh0twrVEU5UTeqybAnVEciL5oVy6EPm4niYweAJrf5QCtPcORtt2Kjs > > xYAX2Ltl7mjvi+QM+XwDX0LKWyIjpYTZXB/5XRnpzUuBw3pDx+z4fWk8SFqN4Ptb > > /7fZSoxI6VeuTvrgS4aMyjsPylPnpXVAFYOcxketS0D1F9m0z5t3eD3hXesgbCHS > > svy0gACF3qvarJiE6MVDaJ/tlX408G9V3gEHpCCrk+yL5FiT/dtr7tNlWMt+o9D4 > > 5/kNAgMBAAGjJzAlMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwQHAwUAsAAA > > ADANBgkqhkiG9w0BAQUFAAOCAQEAYvuUspk2lHiP3IM4maY2DOH0UfSsldyqOICP > > ue3xmqNnkhN7QBe8GIcsKt3fiozC7L+zcxdIY6L7WgGx1+aK8f3AKl/FojPegMhC > > WsgNy5WsR+jLUduclZDGf4qXxo9Vs1qXeP4qYZOa1rtqiBfFaQsxs4+XyFHdaB8N > > HzviKd8NSeCn+ZfUTKYlErUAL+qtLaQQTqVvBVnwR9yT74izZ48f0mX8zHYMFJIk > > mokioFqzl2ZVF98JBLSy6sNTZfO+eg98g3uDVRwq9JyvsWp1OJ94BvoXFZX7ETDM > > Z53Hp5s3YUNRptlIvzre/foKg4MZB8BNUsEUdgaGOeoXho7jDA== > > -----END CERTIFICATE----- > > > > It's seemingly self-signed, but then again -- not. When I > call openssl: > > > > $ openssl verify -CApath /dev/null -CAfile weird.crt weird.crt > > weird.crt: /CN=WMSvc-WIN-EEBHLC81GJ8 > > error 20 at 0 depth lookup:unable to get local issuer certificate > > > > Interestingly the lookup fails at depth 0 (!). If a parent > certificate > > were missing, I'd expect a lookup fail at depth 1. > > It's lookup of the issuer of the cert at 0 that failed. Because the lookup failed (after being attempted by mistake), to OpenSSL there is NO cert at depth 1 in this chain, only a "hole". > > When I create a self-signed certificate: > > > > $ openssl req -new -x509 -nodes -out foobar.crt > > > > And check it then: [OK] By default req -new -x509 does no extensions. Use a config file and x509_extensions or -extensions section that includes KeyUsage as above and you can recreate the problem. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
