Certificate validating (openssl -verify ...) and interpreting messages

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Certificate validating (openssl -verify ...) and interpreting messages

Walter H.
Hello,

when
running this:

openssl verify -CAfile /etc/pki/tls/certs/ca-bundle.trust.crt
-trusted_first -untrusted /tmp/chain.pem /tmp/cert.pem

/tmp/chain.pem contains a root certificate
/tmp/cert.pem contains a certificate that was signed by this root
certificate;

I get the following output

/tmp/cert.pem: CN = ..., O = ..., ST = ..., C = ...
error 19 at 1 depth lookup:self signed certificate in certificate chain

of couse the number 19 means 'self signed certificate in certificate chain'
as shown here: https://www.openssl.org/docs/manmaster/apps/verify.html

but what does the number 1 (at ... depth) say?

does this reference a certificate of the whole chain, if so, which one
the root or the other one?

Thanks for help;

Greetings from Austria,
Walter



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Certificate validating (openssl -verify ...) and interpreting messages

Viktor Dukhovni

> On May 18, 2016, at 1:26 PM, Walter H. <[hidden email]> wrote:
>
> openssl verify -CAfile /etc/pki/tls/certs/ca-bundle.trust.crt -trusted_first -untrusted /tmp/chain.pem /tmp/cert.pem
>
> /tmp/chain.pem contains a root certificate
> /tmp/cert.pem contains a certificate that was signed by this root certificate;
>
> I get the following output
>
> /tmp/cert.pem: CN = ..., O = ..., ST = ..., C = ...
> error 19 at 1 depth lookup:self signed certificate in certificate chain
>
> of couse the number 19 means 'self signed certificate in certificate chain'
> as shown here: https://www.openssl.org/docs/manmaster/apps/verify.html
>
> but what does the number 1 (at ... depth) say?

It means that while constructing a chain, the immediate issue of the
leaf certificate was an untrusted self-signed certificate.  The leaf
certificate has depth 1, its issuer has depth 0.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate validating (openssl -verify ...) and interpreting messages

Walter H.
On 18.05.2016 21:10, Viktor Dukhovni wrote:

>> On May 18, 2016, at 1:26 PM, Walter H.<[hidden email]>  wrote:
>>
>> openssl verify -CAfile /etc/pki/tls/certs/ca-bundle.trust.crt -trusted_first -untrusted /tmp/chain.pem /tmp/cert.pem
>>
>> /tmp/chain.pem contains a root certificate
>> /tmp/cert.pem contains a certificate that was signed by this root certificate;
>>
>> I get the following output
>>
>> /tmp/cert.pem: CN = ..., O = ..., ST = ..., C = ...
>> error 19 at 1 depth lookup:self signed certificate in certificate chain
>>
>> of couse the number 19 means 'self signed certificate in certificate chain'
>> as shown here: https://www.openssl.org/docs/manmaster/apps/verify.html
>>
>> but what does the number 1 (at ... depth) say?
> It means that while constructing a chain, the immediate issue of the
> leaf certificate was an untrusted self-signed certificate.  The leaf
> certificate has depth 1, its issuer has depth 0.
>
Ah, ok; in case there had been a chain with 3 certificates
2 means the leaf certificate, 1 means the issuing intermediate and 0
means the self signed root?

Thanks,
Walter



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Certificate validating (openssl -verify ...) and interpreting messages

Jakob Bohm-7
On 18/05/2016 21:38, Walter H. wrote:

> On 18.05.2016 21:10, Viktor Dukhovni wrote:
>>> On May 18, 2016, at 1:26 PM, Walter H.<[hidden email]>  
>>> wrote:
>>>
>>> openssl verify -CAfile /etc/pki/tls/certs/ca-bundle.trust.crt
>>> -trusted_first -untrusted /tmp/chain.pem /tmp/cert.pem
>>>
>>> /tmp/chain.pem contains a root certificate
>>> /tmp/cert.pem contains a certificate that was signed by this root
>>> certificate;
>>>
>>> I get the following output
>>>
>>> /tmp/cert.pem: CN = ..., O = ..., ST = ..., C = ...
>>> error 19 at 1 depth lookup:self signed certificate in certificate chain
>>>
>>> of couse the number 19 means 'self signed certificate in certificate
>>> chain'
>>> as shown here: https://www.openssl.org/docs/manmaster/apps/verify.html
>>>
>>> but what does the number 1 (at ... depth) say?
>> It means that while constructing a chain, the immediate issue of the
>> leaf certificate was an untrusted self-signed certificate.  The leaf
>> certificate has depth 1, its issuer has depth 0.
>>
> Ah, ok; in case there had been a chain with 3 certificates
> 2 means the leaf certificate, 1 means the issuing intermediate and 0
> means the self signed root?
No,

0 is always the leaf,
1 is always the issuer of the leaf
2 is always the issuer of the issuer of the leaf
etc.

So for a chain with 3 certificates, 2 is the root.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users