Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Certificate cannot be verified correctly#28056

Unanswered
szedf asked this question inQ&A
Discussion options

These contents were shown in callback when I try to use openssl_3.4.1 verify client certificate with rootCA

int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) {    if (!preverify_ok) {        int err = X509_STORE_CTX_get_error(ctx);        printf("err: %d\n", err);        printf("Certificate error [depth:%d]: %s\n",               X509_STORE_CTX_get_error_depth(ctx),               X509_verify_cert_error_string(err));    }    return preverify_ok;// err: 26// Certificate error [depth:1]: unsuitable certificate purpose// DC540000:error:0A000086:SSL routines:tls_process_client_certificate:certificate verify failed:ssl\statem\statem_srvr.c:3724:}

When I check the client certificate,TLS Web Client Authentication was included in EKU. What problem with the client certificate or the rootCA? Please help me. Thank you very much!

openssl x509 -in "C02_client_cert_CA1_CN.pem" -text -nooutCertificate:    Data:        Version: 3 (0x2)        Serial Number:            68:de:c9:43:6c:ad:14:eb        Signature Algorithm: sha256WithRSAEncryption        Issuer: C=NL, ST=Netherlands, L=Arnhem, O=DNVGL, OU=INC, CN=C01_CA1_root_CA_CN        Validity            Not Before: Sep  9 03:34:00 2024 GMT            Not After : Sep  9 03:34:00 2026 GMT        Subject: C=NL, ST=Netherlands, L=Arnhem, O=DNVGL, OU=INC, CN=C02_client_cert_CA1_CN        Subject Public Key Info:            Public Key Algorithm: rsaEncryption                Public-Key: (2048 bit)                Modulus:                    00:d5:ff:a8:ee:c5:ca:2f:0a:16:57:05:93:f1:80:                    58:6f:29:c2:71:c6:54:70:02:23:1e:c4:d4:08:bc:                    8f:ad:0b:6f:43:a0:7c:9c:c9:2e:a4:0b:a3:d8:15:                    e7:81:ff:55:c9:02:a5:79:fa:ae:4b:5b:6d:2e:6a:                    b4:5e:6d:5a:12:ad:d3:78:7f:ee:e3:e1:cd:cc:58:                    7d:32:f6:fe:20:da:2e:0c:9c:c4:b4:ff:a3:46:6c:                    48:38:8b:27:cb:c7:88:c4:68:b2:dd:d2:65:cc:c0:                    49:00:2c:65:e1:aa:6e:32:95:41:c1:e2:8b:75:6e:                    6e:ea:4f:4a:26:1c:fc:0f:a0:3f:7d:46:f6:40:e7:                    fc:b3:5a:86:84:ba:0d:e7:1c:61:77:e3:e9:1a:17:                    fb:a2:3f:90:ae:52:6d:b2:8d:c0:16:a6:76:77:52:                    a1:cf:95:7a:b2:c8:78:95:85:6c:b9:a8:31:76:60:                    a8:06:fa:99:ea:d5:c9:75:ed:5e:bb:be:e9:e8:f2:                    5e:53:f8:7b:54:43:06:f5:e4:77:5f:60:c8:7a:8e:                    b3:f3:bd:25:bf:45:a0:38:85:9e:bc:24:bd:22:c1:                    e2:ec:7d:ff:51:b0:bc:83:59:56:15:ad:83:35:c0:                    a4:c7:8c:74:e0:21:74:0e:47:79:3b:b0:a9:98:0e:                    38:39                Exponent: 65537 (0x10001)        X509v3 extensions:            X509v3 Basic Constraints: critical                CA:FALSE            X509v3 Subject Key Identifier:                3C:E9:6F:3F:26:E5:9A:6E:D1:A5:0A:3A:7A:35:A4:DC:8B:9C:FA:F6            X509v3 Authority Key Identifier:                39:6D:BC:62:73:32:A6:0C:13:C9:8E:A6:1F:D9:1A:A3:2A:EC:4A:7E            X509v3 Key Usage: critical                Digital Signature, Key Encipherment            X509v3 Extended Key Usage:                TLS Web Client Authentication    Signature Algorithm: sha256WithRSAEncryption    Signature Value:        6b:34:02:10:d1:73:54:ea:29:c5:35:58:d4:5a:c8:cb:09:e3:        37:58:6e:53:ce:8f:c2:af:e2:4f:42:a2:26:45:d0:ef:15:a1:        45:6f:fd:08:13:57:33:7e:e5:90:87:9d:bd:bd:f0:a0:04:b4:        aa:0d:f0:35:97:78:25:6f:5b:02:a2:c1:d6:6d:93:00:18:c8:        56:3c:2a:94:c5:1b:a1:df:91:b1:d8:12:51:9b:e1:86:d1:19:        27:3f:8a:8d:2d:d5:af:29:31:51:96:2e:17:96:a8:02:a9:25:        fd:56:c2:8a:2a:c3:eb:b1:90:a2:1f:cc:04:86:bb:0c:a2:f6:        32:6c:f7:0a:79:c0:22:64:6d:43:ee:fd:90:33:b0:8d:da:9f:        65:e8:18:cf:d1:61:f7:e7:73:69:e9:02:9d:f5:b2:8b:33:9c:        ae:40:e9:5b:4b:23:8b:0a:72:f2:a4:48:40:9b:9e:83:20:3d:        73:ee:5e:b0:a8:43:c3:d3:9b:ee:21:f5:70:0d:b3:3d:2d:5e:        44:a6:4a:d1:ec:0e:8a:8c:57:45:e7:2d:a7:f1:1f:f4:1a:ad:        0b:3c:57:a7:40:b2:9d:b3:32:46:b0:cb:48:65:3b:5f:30:f4:        7b:0d:51:0c:53:7f:71:43:c6:49:31:c2:29:69:9d:4f:52:52:        b0:a7:0b:5c

I try to use openssl s_client command and show me ''unsuitable certificate purpose''

openssl s_client -connect 127.0.0.1:19998 -cert "C02_client_cert_CA1_CN.pem" -key "C02_client_cert_CA1_CN_key.pem" -CAfile C01_CA1_root_CA_CN.pemConnecting to 127.0.0.1CONNECTED(00000190)Can't use SSL_get_servernamedepth=1 C=NL, ST=Netherlands, L=Arnhem, O=DNVGL, OU=INC, CN=C01_CA1_root_CA_CNverify error:num=26:unsuitable certificate purposeverify return:1depth=1 C=NL, ST=Netherlands, L=Arnhem, O=DNVGL, OU=INC, CN=C01_CA1_root_CA_CNverify return:1depth=0 C=NL, ST=Netherlands, L=Arnhem, O=DNVGL, OU=INC, CN=C02_server_cert_CA1_CNverify return:1E8210000:error:0A000413:SSL routines:ssl3_read_bytes:ssl/tls alert unsupported certificate:ssl\record\rec_layer_s3.c:908:SSL alert number 43---Certificate chain 0 s:C=NL, ST=Netherlands, L=Arnhem, O=DNVGL, OU=INC, CN=C02_server_cert_CA1_CN   i:C=NL, ST=Netherlands, L=Arnhem, O=DNVGL, OU=INC, CN=C01_CA1_root_CA_CN   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256   v:NotBefore: Apr  8 12:22:00 2025 GMT; NotAfter: Apr  8 12:22:00 2026 GMT 1 s:C=NL, ST=Netherlands, L=Arnhem, O=DNVGL, OU=INC, CN=C01_CA1_root_CA_CN   i:C=NL, ST=Netherlands, L=Arnhem, O=DNVGL, OU=INC, CN=C01_CA1_root_CA_CN   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256   v:NotBefore: Aug 25 09:25:00 2019 GMT; NotAfter: Aug 25 09:25:00 2029 GMT---Server certificate-----BEGIN CERTIFICATE-----MIID+zCCAuOgAwIBAgIITcgYOu0xWYgwDQYJKoZIhvcNAQELBQAwbzELMAkGA1UEBhMCTkwxFDASBgNVBAgTC05ldGhlcmxhbmRzMQ8wDQYDVQQHEwZBcm5oZW0xDjAMBgNVBAoTBUROVkdMMQwwCgYDVQQLEwNJTkMxGzAZBgNVBAMMEkMwMV9DQTFfcm9vdF9DQV9DTjAeFw0yNTA0MDgxMjIyMDBaFw0yNjA0MDgxMjIyMDBaMHMxCzAJBgNVBAYTAk5MMRQwEgYDVQQIEwtOZXRoZXJsYW5kczEPMA0GA1UEBxMGQXJuaGVtMQ4wDAYDVQQKEwVETlZHTDEMMAoGA1UECxMDSU5DMR8wHQYDVQQDDBZDMDJfc2VydmVyX2NlcnRfQ0ExX0NOMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArulRe8OaH3m/ZzK2CohJ01KsjVI4221xgGGTn/rzT6UD1ybL/F7t/0RYyy5uKHLm2IZr0TtrZujfB8qxsdnbE+JEU+nbbvfC9K9Ibux4ZyVa1PdnwZeUVQPBzYWhGq1Ln6AT17QHDtBzKBaXnkWfOxvo7egkkqT0rRWwb58Oo4kBZEZatnUwivpmMf//QrALeZuh8GBzIP0NpyipAYTsjkj+VW7o7XNMFL7LuvuwN/GWCqYxHCSg0mjahBtnwtla4DPq6UAEyaje3JNUd1NFL1rdLydTe9O7lzgUeATi1Uqu6OarUDndmxHPPmgTkMVUdZ02A9l9Fm8kGCV8oypMMQIDAQABo4GWMIGTMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFOGlVdlFbQZQDe5nXS3ei+K3CitsMB8GA1UdIwQYMBaAFDltvGJzMqYME8mOph/ZGqMq7Ep+MA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAeBglghkgBhvhCAQ0EERYPeGNhIGNlcnRpZmljYXRlMA0GCSqGSIb3DQEBCwUAA4IBAQAjTorcSn/zsrJe0p+P8ZIPxL8KcMctb3ZfgNtU5FrgsVcLOhpsKd3SGE3Rq7b6WomKERMmisFDP+1ooGo6ULDKz8TVd/GlUBlqk4FWh59wCYL/XXcT/rw9A9B4zIjM1E7CnqwciS3JpCYBm0Gf9JPza0fFBUEzCG38rM9zkFQFDyRVBHxaoLsUVziZemgoryP/AYjpIhYdDFNmBdwIhuYb64yF1YqhgVOtklNDaNM4GeIKPcP+MuIeejYtXTvqlGGyhwZRxBPWHWy0yXnlwfGfuFT8/n3gQaiRaL+js/xuuXu8fVGCxG0QRBgNWG6XX3r2VzpbhS51rlUucaM7QWbD-----END CERTIFICATE-----subject=C=NL, ST=Netherlands, L=Arnhem, O=DNVGL, OU=INC, CN=C02_server_cert_CA1_CNissuer=C=NL, ST=Netherlands, L=Arnhem, O=DNVGL, OU=INC, CN=C01_CA1_root_CA_CN---No client certificate CA names sentClient Certificate Types: RSA sign, DSA sign, ECDSA signRequested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:ecdsa_brainpoolP256r1_sha256:ecdsa_brainpoolP384r1_sha384:ecdsa_brainpoolP512r1_sha512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:ecdsa_brainpoolP256r1_sha256:ecdsa_brainpoolP384r1_sha384:ecdsa_brainpoolP512r1_sha512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512---SSL handshake has read 2191 bytes and written 2877 bytesVerification error: unsuitable certificate purpose---New, TLSv1.2, Cipher is AES256-GCM-SHA384Protocol: TLSv1.2Server public key is 2048 bitSecure Renegotiation IS supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session:    Protocol  : TLSv1.2    Cipher    : AES256-GCM-SHA384    Session-ID: 51BDCF422E38FC8C40E441C4024FDCE767E28912890CFABC84A69B8E14C491B6    Session-ID-ctx:    Master-Key: 47F445DA6F9753E347F80F18D7D9F1CAB920BF777A275F93E9294ACC6A190CF5AF76A35C74C02C26D236C9DC711E2E38    PSK identity: None    PSK identity hint: None    SRP username: None    Start Time: 1752736498    Timeout   : 7200 (sec)    Verify return code: 26 (unsuitable certificate purpose)    Extended master secret: yes---
openssl x509 -in C01_CA1_root_CA_CN.pem -text -nooutCertificate:    Data:        Version: 3 (0x2)        Serial Number: 1 (0x1)        Signature Algorithm: sha256WithRSAEncryption        Issuer: C=NL, ST=Netherlands, L=Arnhem, O=DNVGL, OU=INC, CN=C01_CA1_root_CA_CN        Validity            Not Before: Aug 25 09:25:00 2019 GMT            Not After : Aug 25 09:25:00 2029 GMT        Subject: C=NL, ST=Netherlands, L=Arnhem, O=DNVGL, OU=INC, CN=C01_CA1_root_CA_CN        Subject Public Key Info:            Public Key Algorithm: rsaEncryption                Public-Key: (2048 bit)                Modulus:                    00:c0:6a:00:89:e4:8d:88:90:a7:2f:37:c3:86:61:                    5b:a0:4c:52:2a:68:63:21:7e:fe:76:36:a3:4a:ae:                    cd:f5:d6:42:e0:bd:9f:99:e2:fa:cf:ea:8d:99:7b:                    28:79:da:dd:0b:85:94:a5:3d:48:4a:64:9d:4f:84:                    95:8a:4d:67:b4:9c:29:c2:04:d6:79:3e:05:f9:e7:                    d7:c0:35:30:85:a9:69:79:90:4a:c5:97:6e:24:99:                    4a:04:49:e6:11:2b:35:52:4d:65:c7:e2:65:d2:d3:                    83:54:e1:ee:69:dd:77:7b:45:80:8a:1c:a0:81:4e:                    fd:fc:b3:66:4a:af:54:89:d3:1d:87:74:80:8e:04:                    15:62:ed:d0:10:a5:05:ee:bf:da:a0:8f:df:12:1c:                    c1:91:16:a7:e8:5e:5f:ee:9b:60:b9:b2:36:af:1b:                    b8:85:6e:78:ae:21:0c:b8:e7:a1:56:d4:de:38:6a:                    28:1c:1f:bd:15:3e:f7:ef:bd:a1:6a:0e:36:83:63:                    2d:2a:5e:fd:cd:0e:e7:7c:3e:e3:1a:c1:35:90:09:                    eb:93:29:96:54:79:a3:82:5c:10:9f:dc:e7:cf:d1:                    43:01:fd:25:dc:43:c0:d4:d1:6e:23:4e:91:8a:03:                    f7:f5:e5:63:ba:b7:ca:ae:31:1c:e5:20:c5:7e:2f:                    4b:b1                Exponent: 65537 (0x10001)        X509v3 extensions:            X509v3 Basic Constraints: critical                CA:TRUE            X509v3 Subject Key Identifier:                39:6D:BC:62:73:32:A6:0C:13:C9:8E:A6:1F:D9:1A:A3:2A:EC:4A:7E            X509v3 Authority Key Identifier:                39:6D:BC:62:73:32:A6:0C:13:C9:8E:A6:1F:D9:1A:A3:2A:EC:4A:7E            X509v3 Key Usage: critical                Certificate Sign, CRL Sign            X509v3 Extended Key Usage:                OCSP Signing    Signature Algorithm: sha256WithRSAEncryption    Signature Value:        2e:9b:69:36:72:5d:d6:a3:af:e7:d1:4d:7a:28:97:e4:6f:61:        d3:74:b9:59:fa:d4:26:fa:19:b8:0b:e6:61:0c:e7:11:e0:2d:        96:b7:3d:a8:e5:3b:91:df:6e:09:b1:39:55:39:06:28:8b:a1:        2f:d9:b7:66:8d:41:28:39:85:83:48:53:3f:7b:c7:da:0e:7b:        33:45:24:0a:65:70:4e:a1:da:08:14:9b:ab:64:eb:db:05:5b:        38:55:06:84:68:66:cd:c6:5f:c2:e8:9b:a6:4f:c2:7d:99:2b:        f0:c4:4b:8f:dc:b3:db:49:60:31:64:d6:50:35:b5:86:1b:79:        9e:b8:5d:1a:f6:bb:69:cd:92:79:95:4c:37:68:0f:e4:b3:b3:        19:05:a9:f6:3f:47:8a:a8:f0:c4:51:a9:a6:4f:66:2f:9e:48:        75:f6:17:5d:7c:60:19:09:14:b4:60:ea:a9:75:8a:0b:2f:0a:        d6:00:5d:88:bd:e4:b8:92:b7:32:80:0f:c0:32:c6:1b:39:a2:        43:cc:1f:a4:59:d0:07:ab:cb:be:65:2b:41:00:d6:7c:0c:99:        d4:76:d6:66:6f:e8:e5:1b:8b:2c:f0:7d:8d:d2:d2:d6:49:bb:        3c:4a:f6:d2:9b:da:17:67:84:3a:0c:e5:1e:90:5e:8d:55:7b:        ef:2c:bc:ba
You must be logged in to vote

Replies: 1 comment

Comment options

I am having a similar issue with a certificate I signed using my own CA and the lynx web browser and openssl client. Openssl will connect but gives error 26.

You must be logged in to vote
0 replies
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Category
Q&A
Labels
None yet
2 participants
@szedf@abcbarryn
[8]ページ先頭
©2009-2025 Movatter.jp