[gnutls-devel] A certificate is verified by Gnutls but rejected by OpenSSL/PolarSSL

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri Apr 3 07:18:59 CEST 2015

On Thu, 2015-04-02 at 18:48 -0700, Yuting Chen wrote:
> Another very different example: when I verify file5.pem (the attached
> file) against fa_rootCA_key_cert.pem, gnutls cannot find the issuer of
> the cert in file5.pem, but openssl/polarssl can find the issuer and
> accept it. It is a little tricky to find the issuer by comparing the
> "issuer" field of one certificate with the "subject" field of the ca
> certificate. 

As Peter noticed, the end certificate has authority key identifier set,
and the CA certificate has the subject key identifier set and they don't
match. In any case I think it is counter productive sending random
certificates which their verification doesn't match the other programs.
If you have certificate which you know it should or shouldn't pass but
the result of gnutls' certtool differs, then that will be an interesting


More information about the Gnutls-devel mailing list