Question about X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN for a cert chain including the root cert

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Question about X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN for a cert chain including the root cert

Bernhard Fröhlich-2
Hi there,

I have a question about certificate chain checkin when the chain
includes a root certificate.

The server I want to connect to with openssl s_client (Version 0.9.8zc)
sends this certificate chain:

0 s:Server's cert
  i:Intermediate cert
1 s:Intermediate cert
  i:Root 1 cert
2 s:Root 1 cert
  i: Root 2 cert
3 s:Root 2 cert
  i:Root 2 cert

If my CA file includes the self signed Root 1 cert, but not the "Root 2
cert" I get "Verify return code: 19 (self signed certificate in
certificate chain)"
If I add the Root 2 cert to the CA file everything is fine.
If I try openssl verify on the Server's cert with a CA file including
Intermediate cert and self-signed Root 1 cert, but not Root 2 cert,
verify reports OK.

My view was that the Root 1 cert in the CA file should verify the chain.
Obviously it does not, but why?
Are two certificates with the same subject but different issuer
considered different? Or is this an issue with my ancient openssl version?

Kind regards
Ted

--
PGP Public Key Information
Key ID = 7AFB8D26
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users