cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Error 60 Self signed certificate issue

From: Alex Bligh <alex_at_alex.org.uk>
Date: Wed, 31 Aug 2016 16:16:32 +0100

> On 31 Aug 2016, at 14:23, Daniel Stenberg <daniel_at_haxx.se> wrote:
>
> The exact string "self signed certificate" is stated by OpenSSL there (right?) and I'm not familar with its exact internal logic for saying it is self signed. The normal way to do self-signed certs is when you run a server with a cert that is signed by your yourself and not by any known CA. Logically, a client cannot verify a self-signed cert and thus it fails the check.

It is possible to generate a self-signed CA certificate (for instance for an internal CA). You need to check however that the extended capabilities say that the certificate is good for signing. Omitting this, but signing with it anyway, can on occasion produce the above error.

A self-signed certificate used as the server certificate, and then adding that certificate to the trust chain will not itself normally work.

-- 
Alex Bligh
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Received on 2016-08-31