Bug#752272: Last certificate not self-signed
Andreas Metzler
ametzler at bebt.de
Sun Jun 22 17:54:18 UTC 2014
On 2014-06-22 Jo Drexl <jo.drexl at poly-tick.de> wrote:
> Am Sonntag, den 22.06.2014, 08:22 +0200 schrieb Andreas Metzler:
>> On 2014-06-22 Jo Drexl <jo.drexl at poly-tick.de> wrote:
>>> After installing the stable package and rerunning 'certtool -e
>>> --load-ca-certificate cacert.pem --infile servercert.pem', the outcome
>>> was:
>> [...]
>>> It seems the self-sign for snakeoil CAs is broken.
>>> Good luck, I don't think I'm of much use here, still playing around and
>>> trying to find out what I'm doing here ;)
>> You are trying to use -e but you are passing a single certificate
>> instead of a certificate chain.
>> | -e, --verify-chain
>> | Verify a PEM encoded certificate chain.
>> |
>> | The last certificate in the chain must be a self signed one.
>> If you used --verify instead the command would succeed.
> Sure I do only give him one ca-certificate - because it's the next and
> last one in the chain and is self-signed (certtool
> --generate-self-signed --load-privkey cakey.pem --template ca.info
> --outfile cacert.pem). I did follow the howto step by step.
Hello,
I am not sure you are understanding me correctly. -e needs a chain as
infile. You are passing a single non-self-signed certificate.
i.e. while either of these succeed
* certtool --verify --load-ca-certificate cacert.pem --infile \
servercert.pem
* cat servercert.pem cacert.pem > chain.pem && \
certtool --verify-chain --infile chain.pem
this one always fails:
* certtool --verify-chain file-containing-only-a-single-non-self-signed-cert
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Pkg-gnutls-maint
mailing list