Bingo! As the organization was the same in both cases I had put the same value in every place.
Thanks, Charles -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: Monday, August 20, 2012 4:45 PM To: openssl-users@openssl.org Subject: RE: CA-signed certificate reported as self-signed > From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills > Sent: Monday, 20 August, 2012 15:32 > Sorry to have so many questions ... > > I create a certificate request. I sign it with > > openssl.exe ca -in MYNOTEBOOK_server.req.pem -config > CMC_root_config.cnf -out MYNOTEBOOK_server.pem -verbose -cert > CMC_root.pem -keyfile CMC_root.key.pem <snip> > writing C:/Users/Charles/Documents/CorreLog/Certificates/01.pem > Data Base Updated > <snip> > openssl.exe s_server -accept 6514 -cert MYNOTEBOOK_server.pem -key > MYNOTEBOOK_server.key.pem -state -debug <snip> > openssl.exe s_client -connect localhost:6514 -CAfile CMC_root.cert.pem > -showcerts -prexit -no_ssl2 -cipher ALL:@STRENGTH -state < > OpenSSLclient_data.txt > > And it twice reports > > Verify return code: 18 (self signed certificate) > > Why? > > If I display the certificate with -text I don't see "CMC_root" in > there anywhere. How does the > I assume you mean display the "MYNOTEBOOK" (end-entity) cert with x509 -text [-noout]. What does it show for Subject: and Issuer: ? (Or more concisely, you can do x509 -subject -issuer -noout .) Issuer in the EE cert must be the same as both names (Subject AND Issuer) in the *CA* cert, and Subject in the EE cert must be *different*. If it's not, either you answered the prompts with duplicate values when creating the CSR(s), or your config file(s) had prompt=no and duplicate values. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
