Hi all, I have just created a new CA which has the extension to allow client authentication. My previous CA worked fine without this extension but some client application now requires that I set it. So I've created a new client key pair and signed it with the new CA, but when I use openssl verify to test them, they do not verify.
I get the following error: $ openssl verify -CAfile CA/cacert.pem client.cert stdin: CN = d8ab98a0252208818a29d5548bd833d40e85e4fa14bf146dc04be5139418fae2, emailAddress = a...@gmail.com<mailto:ljbr...@gmail.com>, C = aa error 20 at 0 depth lookup:unable to get local issuer certificate If I look at the new client certificate's chain I get: ~$ openssl x509 -issuer -subject -noout -in client.cert issuer= /C=aa/ST=gg/L=ppp/O=mod/OU=eng/CN=crypto-admin/emailAddress=root@localhost subject= /CN=d8ab98a0252208818a29d5548bd833d40e85e4fa14bf146dc04be5139418fae2/emailAddress=a...@gmail.com<mailto:ljbr...@gmail.com>/C=aa and the CA certificate is selfsigned: ~$ openssl x509 -issuer -subject -noout -in CA/cacert.pem issuer= /C=aa/ST=gg/L=ppp/O=mod/OU=eng/CN=crypto-admin/emailAddress=root@localhost subject= /C=aa/ST=gg/L=ppp/O=mod/OU=eng/CN=crypto-admin/emailAddress=root@localhost The extensions for the CA are now: X509v3 extensions: X509v3 Subject Key Identifier: ED:51:C6:3B:A3:72:B3:F5:33:80:F0:7C:15:FD:CE:FF:6C:B6:07:6A X509v3 Authority Key Identifier: keyid:ED:51:C6:3B:A3:72:B3:F5:33:80:F0:7C:15:FD:CE:FF:6C:B6:07:6A DirName:/C=aa/ST=gg/L=ppp/O=mod/OU=eng/CN=crypto-admin/emailAddress=root@localhost serial:A4:48:38:09:CB:16:6A:D0 X509v3 Basic Constraints: CA:TRUE X509v3 Key Usage: Certificate Sign, CRL Sign I just cannot understand this verification problem - the client is directly signed by the root CA!? Any help appreciated Thanks LJB
