Vellore-Arumugam, Jagdish (Svr Automation)
2014-09-22 16:34:59 UTC
Hi,
I am getting a 'Certificate Signature Failure' (verify error:num=7:certificate signature failure) on Windows Server 2008 R2 Enterprise during certificate verification on the client side. I used the 'openssl s_client' command to check this behavior after seeing SSL handshake failure in my application that uses Python M2Crypto for the SSL communication. This failure is seen only on the windows platform, RHEL and Ubuntu running the same python app using the same certificates does have this problem. The CAs are loaded from files that contain:
Cert #1: Single self-signed cert with Subject ='ABC' and Issuer = 'ABC'
And the following chain of 3 certs
Cert#2: This is part of a cert chain with Subject = 'ABC' and Issuer = 'ABC'
Cert#3: Intermediate CA Subject = 'ABC' and Issuer = 'Custom CA'
Cert#4: Self-signed root Subject = 'Custom CA' and Issuer = 'Custom CA'
Cert #1 and the chain have overlapping validity dates, so both are currently valid.
I encounter the problem only when I load 2 such CA files. One that corresponds to the server cert ('ABC') and another (say 'XYZ') that is used to verify a different server cert. The structure of both the certs are identical and the chains in them use the same self-signed root cert. But each have different Subject and Issuer for the top level cert ('ABC' and 'XYZ).
I used exactly the same certificates for my Unix clients and they do not have this problem. An identical 'openssl s_client' command is successful on the Unix clients.
I am using OpenSSL 1.0.1h libraries.
Any suggestions on how to troubleshoot/resolve this problem will be very helpful.
Thank you,
Jag.
I am getting a 'Certificate Signature Failure' (verify error:num=7:certificate signature failure) on Windows Server 2008 R2 Enterprise during certificate verification on the client side. I used the 'openssl s_client' command to check this behavior after seeing SSL handshake failure in my application that uses Python M2Crypto for the SSL communication. This failure is seen only on the windows platform, RHEL and Ubuntu running the same python app using the same certificates does have this problem. The CAs are loaded from files that contain:
Cert #1: Single self-signed cert with Subject ='ABC' and Issuer = 'ABC'
And the following chain of 3 certs
Cert#2: This is part of a cert chain with Subject = 'ABC' and Issuer = 'ABC'
Cert#3: Intermediate CA Subject = 'ABC' and Issuer = 'Custom CA'
Cert#4: Self-signed root Subject = 'Custom CA' and Issuer = 'Custom CA'
Cert #1 and the chain have overlapping validity dates, so both are currently valid.
I encounter the problem only when I load 2 such CA files. One that corresponds to the server cert ('ABC') and another (say 'XYZ') that is used to verify a different server cert. The structure of both the certs are identical and the chains in them use the same self-signed root cert. But each have different Subject and Issuer for the top level cert ('ABC' and 'XYZ).
I used exactly the same certificates for my Unix clients and they do not have this problem. An identical 'openssl s_client' command is successful on the Unix clients.
I am using OpenSSL 1.0.1h libraries.
Any suggestions on how to troubleshoot/resolve this problem will be very helpful.
Thank you,
Jag.