Usable X.509 errors: OpenSSL

Original documentation:

The certificate is not yet valid: the notBefore date is after the current time. (source)

Original error message:

certificate is not yet valid (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­CERT_­NOT_­YET_­VALID in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  not-yet-valid (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­CERT_­NOT_­YET_­VALID in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­CERT_­NOT_­ACTIVATED
• Botan: CERT_­NOT_­YET_­VALID
• Mbed TLS: MBEDTLS_­X509_­BADCERT_­FUTURE
• OpenJDK: PKIX_­PATH_­VALIDATION_­FAILED, VALIDITY_­CHECK_­FAILED

Redesigned documentation:

The certificate has expired (its validity period passed).

Explanation

Every certificate is issued for a specific time period (determined by notBefore and notAfter fields in the certificate). The current time seems to be past the notAfter value. Therefore, the certificate is no longer valid.

Security perspective

The certificate is not valid anymore. That means the issuing Certificate Authority (CA) does guarantee the information in it is still correct. Moreover, expired certificates are removed from Certificate Revocation Lists (CRLs). That means the certificate might have been revoked in the past (e.g., because of a leaked private key), but we cannot check anymore. Thus, the server presenting this certificate may not be who it claims.

Next steps

First, ensure that the date, time and time zone are set correctly on your device to eliminate the possibility of local misconfiguration. If the time settings are correct, you should get a new valid certificate from the CA.

Original documentation:

The certificate has expired: that is the notAfter date is before the current time. (source)

Original error message:

certificate has expired (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­CERT_­HAS_­EXPIRED in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  expired (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­CERT_­HAS_­EXPIRED in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­CERT_­EXPIRED
• Botan: CERT_­HAS_­EXPIRED
• Mbed TLS: MBEDTLS_­X509_­BADCERT_­EXPIRED
• OpenJDK: PKIX_­PATH_­VALIDATION_­FAILED, VALIDITY_­CHECK_­FAILED

Original documentation:

The CRL is not yet valid. (source)

Original error message:

CRL is not yet valid (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­CRL_­NOT_­YET_­VALID in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  crl_not_yet_valid (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­CRL_­NOT_­YET_­VALID in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­E_­SUCCESS
• Botan: VERIFIED
• Mbed TLS: MBEDTLS_­OK
• OpenJDK: NO_­MESSAGE

Original documentation:

The CRL has expired. (source)

Original error message:

CRL has expired (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­CRL_­HAS_­EXPIRED in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  crl_has_expired (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­CRL_­HAS_­EXPIRED in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­E_­SUCCESS
• Botan: VERIFIED
• Mbed TLS: MBEDTLS_­OK
• OpenJDK: NO_­MESSAGE

Original documentation:

The certificate has been revoked. (source)

Original error message:

certificate revoked (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­CERT_­REVOKED in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  cert_revoked (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­CERT_­REVOKED in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­E_­SUCCESS
• Botan: VERIFIED
• Mbed TLS: MBEDTLS_­OK
• OpenJDK: NO_­MESSAGE

Original documentation:

The issuer certificate of a looked up certificate could not be found. This normally means the list of trusted certificates is not complete. (source)

Original error message:

unable to get issuer certificate (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­UNABLE_­TO_­GET_­ISSUER_­CERT in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  trusted-only-intermediate (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­UNABLE_­TO_­GET_­ISSUER_­CERT in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­E_­SUCCESS
• Botan: CERT_­ISSUER_­NOT_­FOUND
• Mbed TLS: MBEDTLS_­OK
• OpenJDK: NO_­MESSAGE

Original documentation:

The issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found. (source)

Original error message:

unable to get local issuer certificate (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­UNABLE_­TO_­GET_­ISSUER_­CERT_­LOCALLY in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  bc-path-len-negative (see the  generation script)
• Case  chain-loop (see the  generation script)
• Case  duplicate-bc-extension (see the  generation script)
• Case  issuer-no-match-subject (see the  generation script)
• Case  no-certsign-in-keyusage (see the  generation script)
• Case  proxy-ca (see the  generation script)
• Case  proxy-with-san (see the  generation script)
• Case  self-signed-end-entity (see the  generation script)
• Case  unknown-root-cn (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­UNABLE_­TO_­GET_­ISSUER_­CERT_­LOCALLY in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­E_­SUCCESS, GNUTLS_­CERT_­SIGNER_­NOT_­FOUND, GNUTLS_­E_­KEY_­USAGE_­VIOLATION, GNUTLS_­E_­X509_­DUPLICATE_­EXTENSION, GNUTLS_­CERT_­SIGNER_­CONSTRAINTS_­FAILURE, GNUTLS_­CERT_­SIGNER_­NOT_­CA, GNUTLS_­CERT_­UNEXPECTED_­OWNER
• Botan: UNKNOWN_­CRITICAL_­EXTENSION, CERT_­ISSUER_­NOT_­FOUND, DUPLICATE_­CERT_­EXTENSION, CA_­CERT_­NOT_­FOR_­CERT_­ISSUER, CANNOT_­ESTABLISH_­TRUST
• Mbed TLS: MBEDTLS_­ERR_­X509_­INVALID_­EXTENSIONS, MBEDTLS_­X509_­BADCERT_­KEY_­USAGE, MBEDTLS_­X509_­BADCERT_­NOT_­TRUSTED
• OpenJDK: NO_­MESSAGE, UNABLE_­TO_­FIND_­VALID_­CERTIFICATION_­PATH, FAILED_­TO_­PARSE_­SERVER_­CERTIFICATES, PKIX_­PATH_­VALIDATION_­FAILED, CA_­KEY_­USAGE_­FAILED, UNRECOGNIZED_­CRITICAL_­EXTENSION

Redesigned documentation:

The provided certificate is self-signed and it is not present in the list of trusted certificates.

Explanation

The provided certificate is self-signed (the issuer and subject fields are the same). Self-signed certificates usually serve as the root of trust in certificate chains belonging to the Certificate Authorities (CA). However, this certificate is at “zero depth,” i.e., it does not form a certificate chain. Neither is it present in the list of explicitly trusted CAs in your system.

Security perspective

Anyone can issue a self-signed certificate. Thus, the information contained in the certificate is not reliable. Therefore, the server presenting this certificate may not be who it claims.

Next steps

Try to find out if the self-signed certificate was expected at this place. Try to get a proper CA-signed certificated as self-signed certificates are not recommended even for testing purposes. If you are absolutely certain this is the certificate issued by a trustworthy party, you can mark it as trusted by your system. The provided certificate is self-signed and it cannot be found in the list of trusted certificates.

Original documentation:

The passed certificate is self-signed and the same certificate cannot be found in the list of trusted certificates. (source)

Original error message:

self signed certificate (source)

Original documentation:

The certificate chain could be built up using the untrusted certificates but the root could not be found locally. (source)

Original error message:

self signed certificate in certificate chain (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­SELF_­SIGNED_­CERT_­IN_­CHAIN in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  self-signed-intermediate (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­SELF_­SIGNED_­CERT_­IN_­CHAIN in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­CERT_­SIGNER_­NOT_­FOUND
• Botan: CANNOT_­ESTABLISH_­TRUST
• Mbed TLS: MBEDTLS_­X509_­BADCERT_­NOT_­TRUSTED
• OpenJDK: UNABLE_­TO_­FIND_­VALID_­CERTIFICATION_­PATH

Original documentation:

The certificate chain length is greater than the supplied maximum depth. Unused. (source)

Original error message:

certificate chain too long (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­CERT_­CHAIN_­TOO_­LONG in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  openssl-length-exceeded (see the  generation script)

Original documentation:

The CRL of a certificate could not be found. (source)

Original error message:

unable to get certificate CRL (source)

Original documentation:

Unable to get CRL issuer certificate. (source)

Original error message:

unable to get CRL issuer certificate (source)

Original documentation:

CRL path validation error. (source)

Original error message:

CRL path validation error (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­CRL_­PATH_­VALIDATION_­ERROR in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  crl_path_validation_error (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­CRL_­PATH_­VALIDATION_­ERROR in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­E_­SUCCESS
• Botan: VERIFIED
• Mbed TLS: MBEDTLS_­OK
• OpenJDK: NO_­MESSAGE

Original documentation:

Different CRL scope. (source)

Original error message:

Different CRL scope (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­DIFFERENT_­CRL_­SCOPE in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  different_crl_scope (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­DIFFERENT_­CRL_­SCOPE in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­E_­SUCCESS
• Botan: VERIFIED
• Mbed TLS: MBEDTLS_­OK
• OpenJDK: NO_­MESSAGE

Original documentation:

No signatures could be verified because the chain contains only one certificate and it is not self signed. (source)

Original error message:

unable to verify the first certificate (source)

Original documentation:

Path loop. (source)

Original error message:

path loop (source)

Unused: Is actively used in the code once in function check_issued in file x509_vfy.c, but cannot be returned outside of that function.

Original documentation:

Returned by the verify callback to indicate that the certificate is not recognized by the OCSP responder. (source)

Original error message:

OCSP unknown cert (source)

Original documentation:

Not used as of OpenSSL 1.1.0 as a result of the deprecation of the -issuer_checks option. (source)

Original error message:

authority and subject key identifier mismatch (source)

Unused: The documentation states that the error code is not used.

Original documentation:

Not used as of OpenSSL 1.1.0 as a result of the deprecation of the -issuer_checks option. (source)

Original error message:

authority and subject key identifier mismatch (source)

Unused: The documentation states that the error code is not used.

Original documentation:

Not used as of OpenSSL 1.1.0 as a result of the deprecation of the -issuer_checks option. (source)

Original error message:

subject issuer mismatch (source)

Unused: The documentation states that the error code is not used.

Original documentation:

Returned by the verify callback to indicate OCSP verification failed. (source)

Original error message:

OCSP verification failed (source)

Original documentation:

The root CA is not marked as trusted for the specified purpose. (source)

Original error message:

certificate not trusted (source)

Unused: The code is defined but never returned.

Original documentation:

Unsupported extension feature. (source)

Original error message:

unsupported extension feature (source)

Unused: As of now only defined in the code but not used.

Original documentation:

A CA certificate is invalid. Either it is not a CA or its extensions are not consistent with the supplied purpose. (source)

Original error message:

invalid CA certificate (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­INVALID_­CA in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  issuer-ca-false (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­INVALID_­CA in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­CERT_­SIGNER_­NOT_­CA
• Botan: CA_­CERT_­NOT_­FOR_­CERT_­ISSUER
• Mbed TLS: MBEDTLS_­X509_­BADCERT_­NOT_­TRUSTED
• OpenJDK: PKIX_­PATH_­VALIDATION_­FAILED, NOT_­A_­CA_­CERTIFICATE

Redesigned documentation:

The allowed length of the certification path was exceeded.

Explanation

Certification Authorities (CAs) can mandate the maximal length of the trusted certificate chains below their certificate. This is done using the pathLenConstraint field in the basicConstraints extension. If the certificate chain created during validation is longer than this limit, the validation fails due to the violated path length constraint. This limit includes only intermediate certificates – the first (CA) and the last (endpoint) certificates are excluded.

Security perspective

An exceeded certificate path length signifies that one of the sub-authorities issued a certificate it was not allowed. Therefore, the CA or one of the sub-authorities may not be trustworthy.

Next steps

Inspect the certificate chain to find the pathLenConstraint in the basicConstraints extension that was violated. Inform the (sub-)authority issuing this certificate about the violation lower in the certificate chain.

Original documentation:

The basicConstraints pathlength parameter has been exceeded. (source)

Original error message:

path length constraint exceeded (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­PATH_­LENGTH_­EXCEEDED in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  bc-path-len-exceeded (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­PATH_­LENGTH_­EXCEEDED in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­CERT_­SIGNER_­CONSTRAINTS_­FAILURE
• Botan: CERT_­CHAIN_­TOO_­LONG
• Mbed TLS: MBEDTLS_­X509_­BADCERT_­NOT_­TRUSTED
• OpenJDK: PKIX_­PATH_­VALIDATION_­FAILED, PATH_­LEN_­CONSTRAINT_­VIOLATED

Redesigned documentation:

A critical extension was not recognized or could not be processed.

Explanation

Certificate extensions can be used for extending certificates with additional information. Each extension is either marked as critical or non-critical (in the critical field in the extension). If an extension is marked as critical, it must be processed. If the processing system cannot recognize or process a critical extension, it must reject the certificate.

Security perspective

Marking an extension as critical is a way for the certificate issuer to denote it is absolutely essential to process and understand it. If it is not processed, we may lack the necessary information and misuse the certificate. We may, for example, miss the intended purpose or key usage constraint. Inappropriateong usage circumvents the guarantees of the certificate authority, possibly putting our systems at risk.

Next steps

Inspect the certificate extensions marked with critical: true to find the offender. Make sure that only the necessary extensions are marked as critical. Marking non-standard extensions as critical may cause problems in the general context.

Original documentation:

Unhandled critical extension. (source)

Original error message:

unhandled critical extension (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­UNHANDLED_­CRITICAL_­EXTENSION in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  unknown-critical-extension (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­UNHANDLED_­CRITICAL_­EXTENSION in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­CERT_­UNKNOWN_­CRIT_­EXTENSIONS
• Botan: UNKNOWN_­CRITICAL_­EXTENSION
• Mbed TLS: MBEDTLS_­ERR_­X509_­INVALID_­EXTENSIONS
• OpenJDK: PKIX_­PATH_­VALIDATION_­FAILED, UNRECOGNIZED_­CRITICAL_­EXTENSION

Original documentation:

Unhandled critical CRL extension. (source)

Original error message:

unhandled critical CRL extension (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­UNHANDLED_­CRITICAL_­CRL_­EXTENSION in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  unhandled_critical_crl_extension (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­UNHANDLED_­CRITICAL_­CRL_­EXTENSION in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­E_­SUCCESS
• Botan: VERIFIED
• Mbed TLS: MBEDTLS_­OK
• OpenJDK: NO_­MESSAGE

Original documentation:

Invalid or inconsistent certificate extension. (source)

Original error message:

invalid or inconsistent certificate extension (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­INVALID_­EXTENSION in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  empty-ip-addr-blocks (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­INVALID_­EXTENSION in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­CERT_­UNKNOWN_­CRIT_­EXTENSIONS
• Botan: UNKNOWN_­CRITICAL_­EXTENSION
• Mbed TLS: MBEDTLS_­ERR_­X509_­INVALID_­EXTENSIONS
• OpenJDK: PKIX_­PATH_­VALIDATION_­FAILED, UNRECOGNIZED_­CRITICAL_­EXTENSION

Redesigned documentation:

The requested hostname does not match the subject name in the certificate.

Explanation

Information about the certificate’s subject (an entity associated with the certificate’s public key) is held in the subjectAltName extension or the subject field. However, the hostname of the server you are connecting to does not match the subject information in the certificate.

Security perspective

You cannot verify the identity of the server to which you are connecting – you should not proceed. The server is either providing a wrong certificate (by being misconfigured) or is deliberately pretending to be a different entity to fool you. Sending or receiving data from unknown servers may put your systems at risk.

Next steps

Compare the server hostname with the subjectAltName extension and the subject field of the certificate. Common misconfigurations include not including server aliases in the certificate (e.g., www.example.com for the server example.com).

Original documentation:

Hostname mismatch. (source)

Original error message:

Hostname mismatch (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­HOSTNAME_­MISMATCH in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  empty-subject-and-no-san (see the  generation script)
• Case  host-no-match-cn (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­HOSTNAME_­MISMATCH in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­CERT_­UNEXPECTED_­OWNER
• Botan: CERT_­NAME_­NOMATCH
• Mbed TLS: MBEDTLS_­X509_­BADCERT_­CN_­MISMATCH
• OpenJDK: FAILED_­TO_­PARSE_­SERVER_­CERTIFICATES, NO_­NAME_­MATCHING

Original documentation:

Email address mismatch. (source)

Original error message:

Email address mismatch (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­EMAIL_­MISMATCH in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  openssl-email-mismatch (see the  generation script)

Original documentation:

IP address mismatch. (source)

Original error message:

IP address mismatch (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­IP_­ADDRESS_­MISMATCH in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  openssl-ip-mismatch (see the  generation script)

Original documentation:

Permitted subtree violation. (source)

Original error message:

permitted subtree violation (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­PERMITTED_­VIOLATION in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  nc-permitted-violation (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­PERMITTED_­VIOLATION in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­CERT_­SIGNER_­CONSTRAINTS_­FAILURE, GNUTLS_­CERT_­UNEXPECTED_­OWNER
• Botan: NAME_­CONSTRAINT_­ERROR
• Mbed TLS: MBEDTLS_­ERR_­X509_­INVALID_­EXTENSIONS
• OpenJDK: PKIX_­PATH_­VALIDATION_­FAILED, NAME_­CONSTRAINTS_­CHECK_­FAILED

Original documentation:

Excluded subtree violation. (source)

Original error message:

excluded subtree violation (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­EXCLUDED_­VIOLATION in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  nc-excluded-violation (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­EXCLUDED_­VIOLATION in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­CERT_­SIGNER_­CONSTRAINTS_­FAILURE, GNUTLS_­CERT_­UNEXPECTED_­OWNER
• Botan: VERIFIED
• Mbed TLS: MBEDTLS_­ERR_­X509_­INVALID_­EXTENSIONS
• OpenJDK: NO_­MESSAGE

Original documentation:

Name constraints minimum and maximum not supported. (source)

Original error message:

name constraints minimum and maximum not supported (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­SUBTREE_­MINMAX in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  nc-maximum-present (see the  generation script)
• Case  nc-minimum-not-zero (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­SUBTREE_­MINMAX in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­CERT_­SIGNER_­CONSTRAINTS_­FAILURE, GNUTLS_­CERT_­UNEXPECTED_­OWNER
• Botan: NAME_­CONSTRAINT_­ERROR, UNKNOWN_­CRITICAL_­EXTENSION
• Mbed TLS: MBEDTLS_­ERR_­X509_­INVALID_­EXTENSIONS
• OpenJDK: PKIX_­PATH_­VALIDATION_­FAILED, MAXIMUM_­NAME_­CONSTRAINTS, MINIMUM_­NAME_­CONSTRAINTS

Original documentation:

Unsupported name constraint type. (source)

Original error message:

unsupported name constraint type (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­UNSUPPORTED_­CONSTRAINT_­TYPE in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  nc-unknown-name-type (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­UNSUPPORTED_­CONSTRAINT_­TYPE in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­CERT_­SIGNER_­CONSTRAINTS_­FAILURE
• Botan: UNKNOWN_­CRITICAL_­EXTENSION
• Mbed TLS: MBEDTLS_­ERR_­X509_­INVALID_­EXTENSIONS
• OpenJDK: UNSUPPORTED_­HANDSHAKE_­MESSAGE

Original documentation:

Unsupported or invalid name constraint syntax. (source)

Original error message:

unsupported or invalid name constraint syntax (source)

Unused: As of now only defined in the code but not used.

Original documentation:

Unsupported or invalid name syntax. (source)

Original error message:

unsupported or invalid name syntax (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­UNSUPPORTED_­NAME_­SYNTAX in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  san-empty-email (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­UNSUPPORTED_­NAME_­SYNTAX in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­E_­CERTIFICATE_­ERROR
• Botan: VERIFIED
• Mbed TLS: MBEDTLS_­ERR_­X509_­INVALID_­EXTENSIONS
• OpenJDK: FAILED_­TO_­PARSE_­SERVER_­CERTIFICATES

Original documentation:

RFC 3779 resource not subset of parent's resources. (source)

Original error message:

RFC 3779 resource not subset of parent's resources (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­UNNESTED_­RESOURCE in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  ip-addr-blocks-no-subset (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­UNNESTED_­RESOURCE in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­CERT_­UNKNOWN_­CRIT_­EXTENSIONS
• Botan: UNKNOWN_­CRITICAL_­EXTENSION
• Mbed TLS: MBEDTLS_­ERR_­X509_­INVALID_­EXTENSIONS
• OpenJDK: PKIX_­PATH_­VALIDATION_­FAILED, UNRECOGNIZED_­CRITICAL_­EXTENSION

Redesigned documentation:

The certificate’s key is being used for a different purpose than allowed.

Explanation

Certificates can be used for various purposes. It might be desirable to use a certificate only for specific purposes. This is achieved by the keyUsage extension, which defines nine possible usages of the certificate (e.g., digitalSignature or dataEncipherment). End entity certificates can also specify the extended key uses (in the extKeyUsage extension).

Security perspective

Using the certificate for the purpose forbidden in the certificate may pose a risk to your data or systems. (For example, the key’s security may not be sufficient for the forbidden use).

Next steps

Check both the keyUsage and extKeyUsage to see if the listed purposes include the one for which you are attempting to use the certificate.

Original documentation:

The supplied certificate cannot be used for the specified purpose. (source)

Original error message:

unsupported certificate purpose (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­INVALID_­PURPOSE in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  any-ext-key-usage (see the  generation script)
• Case  empty-ext-key-usage (see the  generation script)
• Case  empty-key-usage-end-cert (see the  generation script)
• Case  unknown-ext-key-usage (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­INVALID_­PURPOSE in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­E_­SUCCESS, GNUTLS_­CERT_­UNEXPECTED_­OWNER
• Botan: INVALID_­USAGE, VERIFIED
• Mbed TLS: MBEDTLS_­OK, MBEDTLS_­ERR_­X509_­INVALID_­EXTENSIONS, MBEDTLS_­X509_­BADCERT_­KEY_­USAGE, MBEDTLS_­X509_­BADCERT_­EXT_­KEY_­USAGE
• OpenJDK: NO_­MESSAGE, EXT_­KEY_­USAGE_­NO_­TLS_­SERVER, PKIX_­PATH_­VALIDATION_­FAILED, INCORRECT_­KEY_­USAGE_­BITS

Original documentation:

The root CA is marked to reject the specified purpose. (source)

Original error message:

certificate rejected (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­CERT_­REJECTED in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  openssl-purpose-reject-mark (see the  generation script)

Original documentation:

Invalid or inconsistent certificate policy extension. (source)

Original error message:

invalid or inconsistent certificate policy extension (source)

Original documentation:

No explicit policy. (source)

Original error message:

no explicit policy (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­NO_­EXPLICIT_­POLICY in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  openssl-no-explicit-policy (see the  generation script)

Original documentation:

Key usage does not include CRL signing. (source)

Original error message:

key usage does not include CRL signing (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­KEYUSAGE_­NO_­CRL_­SIGN in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  keyusage_no_crl_sign (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­KEYUSAGE_­NO_­CRL_­SIGN in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­E_­SUCCESS
• Botan: VERIFIED
• Mbed TLS: MBEDTLS_­OK
• OpenJDK: NO_­MESSAGE

Original documentation:

Key usage does not include digital signature. (source)

Original error message:

key usage does not include digital signature (source)

Original documentation:

Not used as of OpenSSL 1.1.0 as a result of the deprecation of the -issuer_checks option. (source)

Original error message:

key usage does not include certificate signing (source)

Unused: The documentation states that the error code is not used.

Original documentation:

EE certificate key too weak. (source)

Original error message:

EE certificate key too weak (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­EE_­KEY_­TOO_­SMALL in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  end-entity-rsa-key-1024 (see the  generation script)
• Case  pubkey-info-invalid-oid (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­EE_­KEY_­TOO_­SMALL in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­CERT_­INSECURE_­ALGORITHM, GNUTLS_­E_­CERTIFICATE_­ERROR
• Botan: TLS_­EXCEPTION, DECODING_­ERROR
• Mbed TLS: MBEDTLS_­X509_­BADCERT_­BAD_­KEY
• OpenJDK: NO_­MESSAGE, UNSUPPORTED_­SIGNATURE_­ALGORITHM

Original documentation:

CA certificate key too weak. (source)

Original error message:

CA certificate key too weak (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­CA_­KEY_­TOO_­SMALL in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  issuer-pubkey-info-invalid-oid (see the  generation script)
• Case  issuer-pubkey-invalid-oid-and-signature (see the  generation script)
• Case  issuer-rsa-key-1024 (see the  generation script)
• Case  signature-algorithm-mismatch (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­CA_­KEY_­TOO_­SMALL in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­E_­CERTIFICATE_­ERROR, GNUTLS_­CERT_­INSECURE_­ALGORITHM
• Botan: TLS_­EXCEPTION, SIGNATURE_­METHOD_­TOO_­WEAK, VERIFIED
• Mbed TLS: MBEDTLS_­X509_­BADCERT_­BAD_­KEY
• OpenJDK: PKIX_­PATH_­VALIDATION_­FAILED, SIGNATURE_­CHECK_­FAILED, NO_­MESSAGE

Original documentation:

CA signature digest algorithm too weak. (source)

Original error message:

CA signature digest algorithm too weak (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­CA_­MD_­TOO_­WEAK in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  issuer-hash-md5 (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­CA_­MD_­TOO_­WEAK in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­CERT_­INSECURE_­ALGORITHM
• Botan: UNTRUSTED_­HASH
• Mbed TLS: MBEDTLS_­X509_­BADCERT_­BAD_­MD
• OpenJDK: PKIX_­PATH_­VALIDATION_­FAILED, FAILED_­SIGNATURE_­ALGORITHM

Original documentation:

Suite B: certificate version invalid. (source)

Original error message:

Suite B: certificate version invalid (source)

Original documentation:

Suite B: invalid public key algorithm. (source)

Original error message:

Suite B: invalid public key algorithm (source)

Original documentation:

Suite B: invalid ECC curve. (source)

Original error message:

Suite B: invalid ECC curve (source)

Original documentation:

Suite B: invalid signature algorithm. (source)

Original error message:

Suite B: invalid signature algorithm (source)

Original documentation:

Suite B: curve not allowed for this LOS. (source)

Original error message:

Suite B: curve not allowed for this LOS (source)

Original documentation:

Suite B: cannot sign P-384 with P-256. (source)

Original error message:

Suite B: cannot sign P-384 with P-256 (source)

(No detailed documentation provided by the library.)

Original error message:

cert info siganature and signature algorithm mismatch (source)

(No detailed documentation provided by the library.)

Original error message:

Cannot find certificate signature algorithm (source)

Original documentation:

The signature of the certificate is invalid. (source)

Original error message:

certificate signature failure (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­CERT_­SIGNATURE_­FAILURE in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  invalid-signature (see the  generation script)
• Case  wrong-signature-algorithm (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­CERT_­SIGNATURE_­FAILURE in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­CERT_­SIGNATURE_­FAILURE, GNUTLS_­E_­CERTIFICATE_­ERROR
• Botan: SIGNATURE_­ERROR, DECODING_­ERROR
• Mbed TLS: MBEDTLS_­X509_­BADCERT_­NOT_­TRUSTED, MBEDTLS_­ERR_­X509_­SIG_­MISMATCH
• OpenJDK: PKIX_­PATH_­VALIDATION_­FAILED, SIGNATURE_­CHECK_­FAILED, FAILED_­TO_­PARSE_­SERVER_­CERTIFICATES

Original documentation:

The signature of the certificate is invalid. (source)

Original error message:

CRL signature failure (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­CRL_­SIGNATURE_­FAILURE in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  crl_signature_failure (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­CRL_­SIGNATURE_­FAILURE in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­E_­SUCCESS
• Botan: VERIFIED
• Mbed TLS: MBEDTLS_­OK
• OpenJDK: NO_­MESSAGE

Original documentation:

The certificate notBefore field contains an invalid time. (source)

Original error message:

format error in certificate's notBefore field (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­ERROR_­IN_­CERT_­NOT_­BEFORE_­FIELD in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  notbefore-field-invalid (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­ERROR_­IN_­CERT_­NOT_­BEFORE_­FIELD in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­E_­ASN1_­DER_­ERROR
• Mbed TLS: MBEDTLS_­ERR_­X509_­INVALID_­DATE
• OpenJDK: FAILED_­TO_­PARSE_­SERVER_­CERTIFICATES

Original documentation:

The certificate notAfter field contains an invalid time. (source)

Original error message:

format error in certificate's notAfter field (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­ERROR_­IN_­CERT_­NOT_­AFTER_­FIELD in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  notafter-field-invalid (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­ERROR_­IN_­CERT_­NOT_­AFTER_­FIELD in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­E_­ASN1_­DER_­ERROR
• Mbed TLS: MBEDTLS_­ERR_­X509_­INVALID_­DATE
• OpenJDK: FAILED_­TO_­PARSE_­SERVER_­CERTIFICATES

Original documentation:

The CRL lastUpdate field contains an invalid time. (source)

Original error message:

format error in CRL's lastUpdate field (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­ERROR_­IN_­CRL_­LAST_­UPDATE_­FIELD in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  error_in_crl_last_update_field (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­ERROR_­IN_­CRL_­LAST_­UPDATE_­FIELD in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­E_­SUCCESS
• Botan: VERIFIED
• Mbed TLS: MBEDTLS_­OK
• OpenJDK: NO_­MESSAGE

Original documentation:

The CRL nextUpdate field contains an invalid time. (source)

Original error message:

format error in CRL's nextUpdate field (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­ERROR_­IN_­CRL_­NEXT_­UPDATE_­FIELD in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  error_in_crl_next_update_field (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­ERROR_­IN_­CRL_­NEXT_­UPDATE_­FIELD in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­E_­SUCCESS
• Botan: VERIFIED
• Mbed TLS: MBEDTLS_­OK
• OpenJDK: NO_­MESSAGE

Original documentation:

The certificate signature could not be decrypted. This means that the actual signature value could not be determined rather than it not matching the expected value, this is only meaningful for RSA keys. (source)

Original error message:

unable to decrypt certificate's signature (source)

Original documentation:

The CRL signature could not be decrypted: this means that the actual signature value could not be determined rather than it not matching the expected value. Unused. (source)

Original error message:

unable to decrypt CRL's signature (source)

Unused: As of now only defined in the code but not used. Also marked as unused in the docs.

Original documentation:

The public key in the certificate SubjectPublicKeyInfo could not be read. (source)

Original error message:

unable to decode issuer public key (source)

Original documentation:

Issuer certificate doesn't have a public key. (source)

Original error message:

issuer certificate doesn't have a public key (source)

Original documentation:

Subject signature algorithm and issuer public key algorithm mismatch (source)

Original error message:

subject signature algorithm and issuer public key algorithm mismatch (source)

(No detailed documentation provided by the library.)

Original error message:

Path length invalid for non-CA cert (source)

(No detailed documentation provided by the library.)

Original error message:

Path length given without key usage keyCertSign (source)

(No detailed documentation provided by the library.)

Original error message:

Key usage keyCertSign invalid for non-CA cert (source)

(No detailed documentation provided by the library.)

Original error message:

Issuer name empty (source)

(No detailed documentation provided by the library.)

Original error message:

Subject name empty (source)

(No detailed documentation provided by the library.)

Original error message:

Missing Authority Key Identifier (source)

(No detailed documentation provided by the library.)

Original error message:

Missing Subject Key Identifier (source)

(No detailed documentation provided by the library.)

Original error message:

Empty Subject Alternative Name extension (source)

(No detailed documentation provided by the library.)

Original error message:

Subject empty and Subject Alt Name extension not critical (source)

(No detailed documentation provided by the library.)

Original error message:

Basic Constraints of CA cert not marked critical (source)

(No detailed documentation provided by the library.)

Original error message:

Authority Key Identifier marked critical (source)

(No detailed documentation provided by the library.)

Original error message:

Subject Key Identifier marked critical (source)

(No detailed documentation provided by the library.)

Original error message:

CA cert does not include key usage extension (source)

(No detailed documentation provided by the library.)

Original error message:

Using cert extension requires at least X509v3 (source)

(No detailed documentation provided by the library.)

Original error message:

Certificate public key has explicit ECC parameters (source)

Original documentation:

Proxy certificates not allowed, please use -allow_proxy_certs. (source)

Original error message:

proxy certificates not allowed, please set the appropriate flag (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­PROXY_­CERTIFICATES_­NOT_­ALLOWED in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  openssl-proxy-not-allowed (see the  generation script)

Original documentation:

Invalid non-CA certificate has CA markings. (source)

Original error message:

invalid non-CA certificate (has CA markings) (source)

Original documentation:

Proxy path length constraint exceeded. (source)

Original error message:

proxy path length constraint exceeded (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­PROXY_­PATH_­LENGTH_­EXCEEDED in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  proxy-length-exceeded (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­PROXY_­PATH_­LENGTH_­EXCEEDED in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­CERT_­SIGNER_­CONSTRAINTS_­FAILURE, GNUTLS_­CERT_­SIGNER_­NOT_­CA, GNUTLS_­CERT_­UNEXPECTED_­OWNER
• Botan: UNKNOWN_­CRITICAL_­EXTENSION
• Mbed TLS: MBEDTLS_­ERR_­X509_­INVALID_­EXTENSIONS
• OpenJDK: PKIX_­PATH_­VALIDATION_­FAILED, CA_­KEY_­USAGE_­FAILED

Original documentation:

Proxy certificate name violation. (source)

Original error message:

proxy subject name violation (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­ERR_­PROXY_­SUBJECT_­NAME_­VIOLATION in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  proxy-name-no-match-issuer (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­ERR_­PROXY_­SUBJECT_­NAME_­VIOLATION in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­CERT_­SIGNER_­CONSTRAINTS_­FAILURE, GNUTLS_­CERT_­SIGNER_­NOT_­CA
• Botan: UNKNOWN_­CRITICAL_­EXTENSION
• Mbed TLS: MBEDTLS_­ERR_­X509_­INVALID_­EXTENSIONS
• OpenJDK: PKIX_­PATH_­VALIDATION_­FAILED, CA_­KEY_­USAGE_­FAILED

Original documentation:

Invalid certificate verification context. (source)

Original error message:

invalid certificate verification context (source)

Original documentation:

Issuer certificate lookup error. (source)

Original error message:

issuer certificate lookup error (source)

Original documentation:

An error occurred trying to allocate memory. This should never happen. (source)

Original error message:

out of memory (source)

Original documentation:

Application verification failure. Unused. (source)

Original error message:

application verification failure (source)

Original documentation:

DANE TLSA authentication is enabled, but no TLSA records matched the certificate chain. This error is only possible in s_client(1). (source)

Original error message:

no matching DANE TLSA records (source)

Original documentation:

Certificate Transparency required, but no valid SCTs found. (source)

Original error message:

Certificate Transparency required, but no valid SCTs found (source)

Original documentation:

Returned by the verify callback to indicate an OCSP verification is needed. (source)

Original error message:

OCSP verification needed (source)

Original documentation:

Unspecified error; should not happen. (source)

Original error message:

unspecified certificate verification error (source)

Original documentation:

The operation was successful. (source)

Original error message:

ok (source)

Example certificates

Below you can download one or more example malformed certificates causing X509_­V_­OK in OpenSSL. If you are interested in generating these certificates yourself, see the corresponding generating script for each case on the project Github.

• Case  bc-not-critical-ca (see the  generation script)
• Case  bc-path-len-in-non-ca (see the  generation script)
• Case  nc-empty (see the  generation script)
• Case  negative-serial-number (see the  generation script)
• Case  no-key-usage-in-ca (see the  generation script)
• Case  san-null-byte-in-email (see the  generation script)
• Case  v1-cert-with-extensions (see the  generation script)
• Case  v4-cert (see the  generation script)
• Case  valid-proxy (see the  generation script)
• Case  valid-with-aia (see the  generation script)
• Case  valid-with-crldp (see the  generation script)
• Case  valid (see the  generation script)

Corresponding errors

What validation errors do other libraries give for certificates causing X509_­V_­OK in OpenSSL? Below, you can see the basic overview based on the example certificates from the previous section. (The list may be incomplete.)

• GnuTLS: GNUTLS_­E_­SUCCESS, GNUTLS_­CERT_­UNEXPECTED_­OWNER, GNUTLS_­E_­CERTIFICATE_­ERROR, GNUTLS_­CERT_­SIGNER_­CONSTRAINTS_­FAILURE, GNUTLS_­CERT_­SIGNER_­NOT_­CA
• Botan: VERIFIED, ENCODING_­ERROR, EXT_­IN_­V1_­V2_­CERT, DECODING_­ERROR, UNKNOWN_­CRITICAL_­EXTENSION
• Mbed TLS: MBEDTLS_­OK, MBEDTLS_­ERR_­X509_­INVALID_­EXTENSIONS, MBEDTLS_­ERR_­X509_­INVALID_­FORMAT
• OpenJDK: NO_­MESSAGE, FAILED_­TO_­PARSE_­SERVER_­CERTIFICATES, PKIX_­PATH_­VALIDATION_­FAILED, CA_­KEY_­USAGE_­FAILED