I figured it out and am now wondering if there is a defect in the openssl verify command. This suggestion from Dave Thompson: I would first try x509 -noout -subject|issuer -nameopt multiline,show_type and see if that helps. Pointed me in the right direction. What i found was that Issuer for certificate A, which was the one that was NOT working, looked like this: [cbarbe@localhost foropensslusers]$ openssl x509 -noout -issuer -nameopt multiline,show_type -in CertA.pem issuer= countryName = UTF8STRING:US stateOrProvinceName = UTF8STRING:New York organizationName = UTF8STRING:Allworx Corp, a Windstream Company commonName = UTF8STRING:view While the issuer for certificate B and subject for my CA looked like this: [cbarbe@localhost foropensslusers]$ openssl x509 -noout -issuer -nameopt multiline,show_type -in CertB.pem issuer= countryName = PRINTABLESTRING:US stateOrProvinceName = UTF8STRING:New York organizationName = UTF8STRING:Allworx Corp, a Windstream Company commonName = UTF8STRING:view [cbarbe@localhost foropensslusers]$ openssl x509 -noout -issuer -nameopt multiline,show_type -in CA.pem issuer= countryName = PRINTABLESTRING:US stateOrProvinceName = UTF8STRING:New York organizationName = UTF8STRING:Allworx Corp, a Windstream Company commonName = UTF8STRING:view So it looks like openssl verify is not taking the type of countryName into account while the browsers are. Is this expected behavior or a defect?
Again, thanks for all the help everybody! CHAD ________________________________________ From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on behalf of Dave Thompson [dthomp...@prinpay.com] Sent: Monday, July 07, 2014 4:03 PM To: openssl-users@openssl.org Subject: RE: Certificate problem > From: owner-openssl-us...@openssl.org On Behalf Of Barbe, Charles > Sent: Sunday, July 06, 2014 22:42 > I have the following certificates and associated private keys: > > A - certificate A generated with one version of my software not using openssl > B - certificate B generated with a new version of my software that does use > openssl > CA - a local certificate authority whose private key is used to sign both A and > B > > I can verify both A and B using openssl verify using CA as the cafile argument. > > However, when I install CA on a client and try to connect a web browser to > my server running the two different versions of software, they complain that > they cannot find the issuer with A but not with B. > > I have examined both certificates and cannot find anything different about > them. As far as I can tell, the only difference is that B used openssl to > generate the certificate and A used our own custom software. The odd thing > to me is that openssl verify can verify both just fine. What are the web > browsers doing different? I've tried chrome, Firefox and opera and all > behave the same... Accepting B and rejecting A. > > Does anybody have any suggestions on where to look to figure this out? A > tool to use? > You are installing in the correct placeS which can be different per browser, right? The only thing that springs to mind that could be invisible is string types and some options of the cert Issuer fields vs the CA Subject. RFC 5280 requires a fairly complicated Unicode-aware comparison algorithm which I believe openssl does (it definitely canonicalizes before comparison, but I haven't gone through the canonicalization to make sure it exactly matches the RFC); browsers might not do the same (perhaps indirectly) although I'd be surprised if NONE do. I would first try x509 -noout -subject|issuer -nameopt multiline,show_type and see if that helps. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
CA.pem
Description: CA.pem
CertA.pem
Description: CertA.pem