From owner-freebsd-questions@FreeBSD.ORG Wed May 13 18:37:51 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7724D519 for ; Wed, 13 May 2015 18:37:51 +0000 (UTC) Received: from mail-in2.apple.com (mail-out2.apple.com [17.151.62.25]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 50EAC13DE for ; Wed, 13 May 2015 18:37:50 +0000 (UTC) Received: from relay2.apple.com (relay2.apple.com [17.128.113.67]) by mail-in2.apple.com (Apple Secure Mail Relay) with SMTP id 65.75.19360.EF993555; Wed, 13 May 2015 11:37:50 -0700 (PDT) X-AuditID: 11973e11-f79186d000004ba0-26-555399fe60a5 Received: from [17.149.228.53] (Unknown_Domain [17.149.228.53]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by relay2.apple.com (Apple SCV relay) with SMTP id 87.39.26419.EE993555; Wed, 13 May 2015 11:37:34 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\)) Subject: Re: Self signed certificate being flagged as a error. From: Charles Swiger In-Reply-To: <5552A28F.8090605@gmail.com> Date: Wed, 13 May 2015 11:37:49 -0700 Cc: FreeBSD - Content-Transfer-Encoding: quoted-printable Message-Id: <9B2A442E-E176-4E6B-BD52-CC8393C5D35E@mac.com> References: <5552A28F.8090605@gmail.com> To: Ernie Luzar X-Mailer: Apple Mail (2.2098) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrDLMWRmVeSWpSXmKPExsUi2FDorPtvZnCowcJmdouXXzexWFw/PYnd gcljxqf5LB47Z91lD2CK4rJJSc3JLEst0rdL4Mr4f6aPueAqe8WLRsUGxt+sXYycHBICJhKr Z+xgh7DFJC7cW8/WxcjFISSwl1Fi587JTDBFd1b1sUAkpjJJHGp6B9bNLKAlcePfS7AiXgE9 iUdPH4NNEhawk7j0vZW5i5GDg01ATWLCRB6QMKeApsSdO4sZQWwWAVWJ/5dmskCM0ZVouvGW EcLWlli28DUzxEgriU0P17CCjBES0JC48jEYJCwioCKxectTNpCwhICsxNetciCXSQj8ZJX4 /HEP0wRGoVlIjpuF5LhZSDYsYGRexSiUm5iZo5uZZ6SXWFCQk6qXnJ+7iREUvNPtBHcwHl9l dYhRgINRiYdXYUNQqBBrYllxZe4hRmkOFiVx3tW9waFCAumJJanZqakFqUXxRaU5qcWHGJk4 OKUaGHX8HLTuz545VeL/JpZ7Czb9WHcwSfwEd8Q0l98FDH1VX/8FNUjVh6pdOP2jNSu2U3Qh 2xfTXbKLJbxXpn+vqTn75NTmXJ3Q229fmszs1u1trfK+oRHlcfD0/NLYpzLl+zauWp80NeB9 +vEHe1Yd+DXN9/PNfrWEB/yRXM+6l8SVfj1m/sF1wT0lluKMREMt5qLiRACx4L8VPwIAAA== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprPLMWRmVeSWpSXmKPExsUiOPWJqe67mcGhBld71S1eft3EYnH99CR2 ByaPGZ/ms3jsnHWXPYApissmJTUnsyy1SN8ugSvj/5k+5oKr7BUvGhUbGH+zdjFyckgImEjc WdXHAmGLSVy4t56ti5GLQ0hgKpPEoaZ3YEXMAloSN/69ZAKxeQX0JB49fcwOYgsL2Elc+t7K 3MXIwcEmoCYxYSIPSJhTQFPizp3FjCA2i4CqxP9LM1kgxuhKNN14ywhha0ssW/iaGWKklcSm h2tYQcYICWhIXPkYDBIWEVCR2LzlKRtIWEJAVuLrVrkJjPyzkNwzC8k9s5AMXcDIvIpRoCg1 J7HSSC+xoCAnVS85P3cTIyjYGgqddzAeW2Z1iFGAg1GJh7diU1CoEGtiWXFl7iFGCQ5mJRFe m8nBoUK8KYmVValF+fFFpTmpxYcYpTlYlMR5Z2/1DhUSSE8sSc1OTS1ILYLJMnFwSjUwHpih GHMj9kXKjXV/D3rsCyh5x73wUOwl1oXrj17SdezsWyxxn1nmLUeLaHtOyEeGZ4+mMApoxb2Z qLhW+vTlhANOFj+nvqn9U/KzgnP9fKV5sw7n/50S+jj3ZEmO7yPDBaFeZutWO8x8+7VqwaHN rMoByqb3ZY88Pn7IOftjrcuZ/V4LDCI/lCixFGckGmoxFxUnAgDxtFYjMgIAAA== X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 May 2015 18:37:51 -0000 On May 12, 2015, at 6:02 PM, Ernie Luzar wrote: [ ... ] > Then I did this command using the certificate outputted by the above = openssl verify cacert.pem >=20 > cacert.pem: C =3DUS, ST =3D PA, L =3D Pittsburgh, CN =3D = *.powerman.com > error 18 at 0 depth lookup:self signed certificate > ok >=20 > Why does openssl think this is a error and how can I fix this so it = will work? It means that your CA isn't trusted by openssl. Update your openssl.cnf to reference your local CA setup, or feed = openssl the -CApath / -CAfile arguments to the CA cert which signed the self-signed = cert that you are trying to validate. One doesn't normally validate the CA cert itself; it's the root of the = trust chain and either it is trusted explicitly or it isn't. One normally validates = certs which have been signed by a CA; the CA cert should never be used for anything = except signing other certs. Regards, --=20 -Chuck