By Date:	<-- -->
By Thread:	<-- -->

SSL fingerpring mismatch and issuer certificate problem

From: "M. Fioretti" <mfioretti (at) mclink.it>
Date: Tue, 13 Jun 2006 23:59:18 +0200

On Tue, Jun 13, 2006 19:28:58 PM +0200, io (mfioretti (at) mclink.it) wrote:
> I have a remote server running centos 4.3 and a home desktop running
> suse 10.1. I have generated an SSL certificate on the server, copied
> it on the desktop and run on the desktop:

After a lot of googling, I have found that:

openssl -verify -issuer_checks returns:

error 30 at 0 depth lookup:authority and subject key identifier mismatch

which, in turn, seems to be caused by screwed settings of
subjectKeyIdentifier and authorityKeyIdentifier in openssl.conf. But I
have not changed them from the default:

######################################################################
marco (at) polaris:~/geecheck/usr/share/ssl> grep -i keyidentifier openssl.cnf
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
authorityKeyIdentifier=keyid:always,issuer:always
marco (at) polaris:~/geecheck/usr/share/ssl>
########################################################################

should I change them? If yes, to which values? The ones suggested at
http://middleware.internet2.edu/hepki-tag/pki-lite/hepki-tag-pkilite-root-profile-current.html,
for example: are in contrast with them. I will try those settings
tomorrow, but I would really like to hear your opinion, before trying
all possible combinations of values...

TIA,
marco

--
Marco Fioretti mfioretti, at the server mclink.it
Fedora Core 3 for low memory http://www.rule-project.org/

Excuse me for being greedy, but I want freedom and good government.
Both a flourishing economy and a well-cared-for earth. A society that
is diverse and communal.. that offers both privacy and accountability.
One that can afford a big conscience, along with lots of neat toys.
-- David Brin -- The Transparent Society
_______________________________________________
CentOS mailing list
CentOS (at) centos.org
http://lists.centos.org/mailman/listinfo/centos

References:
- SSL fingerpring mismatch and issuer certificate problem
  - From: "M. Fioretti" <mfioretti (at) mclink.it>

Prev by Date: Restoring data from disk w/ messed up partition tables
Next by Date: Restoring data from disk w/ messed up partition tables
Previous by thread: SSL fingerpring mismatch and issuer certificate problem
Next by thread: Help debugging superodoctor
Index(es):
- Main
- Thread