verify keeps failing

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

verify keeps failing

Warrick FitzGerald-2
Hi All,

I generated a CA cert and then created a certificate (using CA.pl in
./misc), however the verify does not seem to detect a valid CA.

openssl verify -CAfile ./demoCA/cacert.pem -purpose sslserver newreq.pem

produces "error 18 at 0 depth lookup:self signed certificate"

Which according to the man pages says:

------------

18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate

    the passed certificate is self signed and the same certificate
    cannot be found in the list of trusted certificates.

---------

What am I doing wrong here?

Thanks
Warrick


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: verify keeps failing

Dr. Stephen Henson
On Wed, Nov 09, 2005, Warrick FitzGerald wrote:

> Hi All,
>
> I generated a CA cert and then created a certificate (using CA.pl in
> ./misc), however the verify does not seem to detect a valid CA.
>
> openssl verify -CAfile ./demoCA/cacert.pem -purpose sslserver newreq.pem
>
> produces "error 18 at 0 depth lookup:self signed certificate"
>
> Which according to the man pages says:
>
> ------------
>
> 18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate
>
>     the passed certificate is self signed and the same certificate
>     cannot be found in the list of trusted certificates.
>
> ---------
>
> What am I doing wrong here?
>

Is that a typo above and you are actually using "newcert.pem" and not
"newreq.pem".

Also are you entering *exactly* the same field values for the root CA and the
server certificate?

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: verify keeps failing

Warrick FitzGerald-2
Dr. Stephen Henson wrote:
On Wed, Nov 09, 2005, Warrick FitzGerald wrote:

  
Hi All,

I generated a CA cert and then created a certificate (using CA.pl in
./misc), however the verify does not seem to detect a valid CA.

openssl verify -CAfile ./demoCA/cacert.pem -purpose sslserver newreq.pem

produces "error 18 at 0 depth lookup:self signed certificate"

Which according to the man pages says:

------------

18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate 

    the passed certificate is self signed and the same certificate
    cannot be found in the list of trusted certificates.

---------

What am I doing wrong here?

    

Is that a typo above and you are actually using "newcert.pem" and not
"newreq.pem".

Also are you entering *exactly* the same field values for the root CA and the
server certificate?

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

  

Here's the exact process I'm following (see details below):

1. Create CA
2. Create Cert
3. Try to verify

For some odd reason CA.pl writes the Key and Cert to newreq.pem, so no the above was not a type ... am I misunderstanding something here?

Thanks
Warrick


=========================


[root@LiveMail2 misc]# ./CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
............................................++++++
...................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [New York]:
Locality Name (eg, city) [Purchase]:
Organization Name (eg, company) [LiveTechnology Holdings Inc.]:
Organizational Unit Name (eg, section) [Network Operations]:
Common Name (eg, YOUR name) []:LiveTechnology CA
Email Address [[hidden email]]:


==============================


[root@LiveMail2 misc]# ./CA.pl -newcert
Generating a 1024 bit RSA private key
..........++++++
.....................................++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [New York]:
Locality Name (eg, city) [Purchase]:
Organization Name (eg, company) [LiveTechnology Holdings Inc.]:
Organizational Unit Name (eg, section) [Network Operations]:
Common Name (eg, YOUR name) []:tls.livetechnology.com
Email Address [[hidden email]]:
Certificate (and private key) is in newreq.pem

=============================

[root@LiveMail2 misc]# openssl verify -CAfile ./demoCA/cacert.pem -purpose sslserver newreq.pem
newreq.pem: /C=US/ST=New York/L=Purchase/O=LiveTechnology Holdings Inc./OU=Network [hidden email]
error 18 at 0 depth lookup:self signed certificate
OK

Reply | Threaded
Open this post in threaded view
|

Re: verify keeps failing

Dr. Stephen Henson
On Wed, Nov 09, 2005, Warrick FitzGerald wrote:

>
> Here's the exact process I'm following (see details below):
>
> 1. Create CA
> 2. Create Cert
> 3. Try to verify
>
> For some odd reason CA.pl writes the Key and Cert to newreq.pem, so no
> the above was not a type ... am I misunderstanding something here?
>

What you should do is..

1. Create CA
2. Create cert req.
3. Sign req with CA.
4. Try to verify.

The commands:

CA.pl -newca
CA.pl -newreq
CA.pl -signreq

should do it.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]