On 04.10.23 22:44, mike tancsa wrote:
this fails with just the old-ca.crt% openssl verify -show_chain -CAfile old-ca.crt -untrusted int.crt sentex-remote-only.crtCN = sentex-remote-only error 20 at 0 depth lookup: unable to get local issuer certificate error sentex-remote-only.crt: verification failed But works with the new ca or ca bundle of old and new% openssl verify -show_chain -CAfile newca.crt -untrusted int.crt sentex-remote-only.crtsentex-remote-only.crt: OK Chain: depth=0: CN = sentex-remote-only (untrusted) depth=1: CN = Sentex-remote-only CAIt should show the cross-signed certificate at depth 1 linking the new server certificate to the old CA at depth 2.
Would the old-ca.crt happen to limit the verification depth it may be used for (i.e., forbid itself to sign intermediaries), like this CA cert (Let's Encrypt's R3) does?
# openssl x509 -in chain.pem -noout -text | grep -B 1 CA:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
