SSL handshake fails with - a verisign chain certificate - that contains two CA signed certificates and one self-signed certificate

ssl openssl handshake
curiousone picture curiousone · Nov 5, 2010 · Viewed 130.3k times · Source

I am stuck with a issue and trying to debug it. We purchased a Verisign certificate. When we use:

openssl> s_client -connect myweb.com:443 -showcerts

SSL Handshake never completes and at the end we see error:

Verify return code: 19 (self signed certificate in certificate chain)

It shows 3 ---BEGIN/END CERTIFICATE--- tags. Two certificates in chain are Verisign signed but one is self signed.

  1. If someone can please explain how this self-signed certificate shows up in a CA signed certificate?

  2. Is this error 19 (self signed certificate in certificate chain) benign? If not, what could be causing it?

  3. Client has the CA certificate in trusted store but there is nothing for the self-signed certificate. Do you think that could be causing problem? If yes, how do I:

    1. How can I get rid of the self-signed certificate from the chain certificate leaving behind only 2 CA signed certificates in chain?
    2. Add this self signed certificate on client trusted store?

Answer

Bruno picture Bruno · Nov 5, 2010

Root certificates issued by CAs are just self-signed certificates (which may in turn be used to issue intermediate CA certificates). They have not much special about them, except that they've managed to be imported by default in many browsers or OS trust anchors.

While browsers and some tools are configured to look for the trusted CA certificates (some of which may be self-signed) in location by default, as far as I'm aware the openssl command isn't.

As such, any server that presents the full chain of certificate, from its end-entity certificate (the server's certificate) to the root CA certificate (possibly with intermediate CA certificates) will have a self-signed certificate in the chain: the root CA.

openssl s_client -connect myweb.com:443 -showcerts doesn't have any particular reason to trust Verisign's root CA certificate, and because it's self-signed you'll get "self signed certificate in certificate chain".

If your system has a location with a bundle of certificates trusted by default (I think /etc/pki/tls/certs on RedHat/Fedora and /etc/ssl/certs on Ubuntu/Debian), you can configure OpenSSL to use them as trust anchors, for example like this:

openssl s_client -connect myweb.com:443 -showcerts -CApath /etc/ssl/certs

Related questions

SSL trouble (openssl)

I need configure connect to server via SSL protocol. I got from server owners 2 files - CA root certificate (ca.pem) and test certificate request (test.csr file). I am try to test connect via openssl s_connect utility and …

Read More
How to create a self-signed certificate with OpenSSL

I'm adding HTTPS support to an embedded Linux device. I have tried to generate a self-signed certificate with these steps: openssl req -new > cert.csr openssl rsa -in privkey.pem -out key.pem openssl x509 -in cert.csr -out …

Read More
How to get .pem file from .key and .crt files?

How can I create a PEM file from an SSL certificate? These are the files that I have available: .crt server.csr server.key

Read More