Creating OpenSSL Server Certificates for Testing Failed

Nam_Le · May 28, 2021, 11:35am

I’m following exactly instructions from these two pages

https://docs.mongodb.com/manual/appendix/security/appendixA-openssl-ca/
https://docs.mongodb.com/manual/appendix/security/appendixB-openssl-server/

But when running

openssl verify -CAfile test-ca.pem test-server1.pem

I got this error

error 7 at 0 depth lookup: certificate signature failure
error test-server1.pem: verification failed
139886075573568:error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding:…/crypto/rsa/rsa_pk1.c:66:
139886075573568:error:04067072:rsa routines:rsa_ossl_public_decrypt:padding check failed:…/crypto/rsa/rsa_ossl.c:588:
139886075573568:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:…/crypto/asn1/a_verify.c:170:

Anyone please knows why? Thank you

Nam_Le · May 29, 2021, 2:52am

Took me almost a day to find out. Call me crazy or whatever, but apparently the common name between intermediate and root certificate must be different. I set them to be equal when using self certificates.

https://jamielinux.com/docs/openssl-certificate-authority/create-the-intermediate-pair.html

Use the intermediate key to create a certificate signing request (CSR). The details should generally match the root CA. The Common Name , however, must be different.

Hope that helps someone.

system · June 3, 2021, 2:52am

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.