> From: owner-openssl-us...@openssl.org On Behalf Of Thomas Koeller > Sent: Thursday, 07 February, 2013 15:54
> On Thursday 07 February 2013 07:31:55 you wrote: > > On Wed, February 6, 2013 23:47, Thomas Koeller wrote: > > > bash-4.0$ openssl verify -x509_strict -CAfile cacert/root_ca.pem > > > -purpose sslserver cacert/host_ca.pem <snip> > > > error 26 at 0 depth lookup:unsupported certificate purpose <snip> > > I think this is correct, you tested your CA intermediate > certificate ... > > > I did that on purpose, because adding the actual server > certificate to the chain does not change the outcome, and I > wanted to strip down the test case as much as possible. > That's a different case. An intermediate cert does not have the "purpose" attributes for sslserver. [propose] > > openssl verify -x509_strict -CAfile concatCA.pem > > -purpose sslserver ssl.pem > > > > concatCA.pem is just this > > ( cat cacert/root_ca.pem; cat cacert/host_ca.pem ) > concatCA.pem Aside: that's silly. Just cat root_ca.pem host_ca.pem >concatCA.pem > No, that does not work either. Here is a host certificate: > > bash-4.0$ openssl x509 ... -in host_certs/handy-thomas.pem <snip: apparently issued by host_ca, at least DN looks right> > I concatenated the intermediate signing certificate with this > one to form the server certificate, and performed verifcation of the > resulting chain. Here's the result: > > bash-4.0$ cat cacert/host_ca.pem host_certs/handy-thomas.pem >/tmp/test.pem > bash-4.0$ openssl verify -x509_strict -CAfile cacert/root_ca.pem > -purpose sslserver /tmp/test.pem That's different and wrong. 'verify' does not read a chain from its non-option argument(s) or stdin, only a single cert. As Thomas Koeller wrote, put both CA certs (or in general all) in -CAfile and your server cert (alone) as last argument. Note that this is different from SSL/TLS protocol handling. That normally does (send and) receive a chain, except that the root can be omitted because only a relier-local root can be trusted anyway, and does verify the chain + local root. If you want to verify host_ca which is under root_ca, use verify -CAfile root_ca host_ca but do NOT specify -purpose. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
