Usable X.509 errors: OpenSSL
Validating X.509 certificates correctly turns out to be pretty complicated (e.g. Georgiev2012, Ukrop2019). Yet certificate validation is absolutely crucial for secure communication on the Internet (think TLS).
Our goal is to simplify the ecosystem by consolidating the errors and their documentation (similarly to web documentation) and by explaining better what the validation errors mean.
For every error, we aim to provide our redesigned documentation ( ), an example certificate ( ), original documentation provided by the library ( , unused or deprecated errors denoted by ), and links to corresponding errors from other libraries ( ). In the future, we plan on adding error frequencies based on IP-wide scans and elaborating on the consequences of individual errors.
Multiple libraries
Our consolidated taxonomy aims for eight most used TLS-enabled libraries. The main structure is based on OpenSSL as it is by far the most used library in the domain of TLS.
Error mappingFurther details
We extend the existing research on security, TLS and documentation design. Details are described in the frequently asked questions on a separate page.
FAQ with detailsFeedback welcome!
Like the project? Think it's useless? Found something not working? Please let us know, we are grateful for all feedback.
Bug report Email us!Time validity errors
Errors occuring when a certificate is outside its validity period or when it is revoked by its CA.
Relevant links: Certificate Validity (RFC 5280), Certificate Revocation (RFC 5280)
Original documentation:
The certificate is not yet valid: the notBefore date is after the current time. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt endpoint.crt
Corresponding errors:
- GnuTLS/GNUTLS_CERT_NOT_ACTIVATED
- Botan/CERT_NOT_YET_VALID
- mbedTLS/MBEDTLS_X509_BADCERT_FUTURE
Redesigned documentation:
Validity of the certificate has expired.
Explanation
Every certificate is delivered for a certain time period (determined by notBefore
and notAfter
fields in certificate). The time period determines the validity of certificate. When time period elapses, the certificate becomes expired.
Security perspective
The certificate is not valid anymore which means that issuing Certification Authority (CA) does not maintain information about the certificate and does not guarantee the correctness of information provided in the certificate. Moreover, expired certificates are removed from Certificate Revocation Lists (CRLs) which means that a certificate might be revoked in the past (e.g. because of revealed private key), but we do not get this information about expired certificate.
Consequences
The expired certificate is untrustworthy, which may harm your business. If you decide to trust to it, you may communicate with another person/entity than you think which may lead to theft of personal information.
Next steps
Ensure that date, time and time zone are set correctly on your device. If the time settings are correct, you should get new valid certificate from the CA. In this case, contact either the CA which issued the previous certificate or another CA.
Original documentation:
The certificate has expired: that is the notAfter date is before the current time. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt endpoint.crt
Corresponding errors:
- GnuTLS/GNUTLS_CERT_EXPIRED
- Botan/CERT_HAS_EXPIRED
- mbedTLS/MBEDTLS_X509_BADCERT_EXPIRED
Original documentation:
The CRL is not yet valid. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt -CRLfile ca.crl -crl_check endpoint.crt
Corresponding errors:
Original documentation:
The CRL has expired. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt -CRLfile ca.crl -crl_check endpoint.crt
Corresponding errors:
Original documentation:
The certificate has been revoked. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt -CRLfile ca.crl -crl_check endpoint.crt
Corresponding errors:
- GnuTLS/GNUTLS_CERT_REVOKED
- Botan/CERT_IS_REVOKED
- mbedTLS/MBEDTLS_X509_BADCERT_REVOKED
Trust or chain related errors
These errors occur when the trust chain to the root certificate is not built correctly or fails.
Relevant links: Certificate Paths (RFC 5280), Certificate Revocation Lists (RFC 5280), OCSP (RFC 2560)
Original documentation:
The issuer certificate of a looked up certificate could not be found. This normally means the list of trusted certificates is not complete. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile subca.crt -untrusted subca.crt endpoint.crt
Original documentation:
The issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify endpoint.crt
Corresponding errors:
- Botan/CERT_ISSUER_NOT_FOUND
- GnuTLS/GNUTLS_CERT_SIGNER_NOT_FOUND
- mbedTLS/MBEDTLS_X509_BADCERT_NOT_TRUSTED
Redesigned documentation:
The provided certificate is self-signed and it cannot be found in the list of trusted certificates.
Explanation
The provided certificate (at zero depth) is self-signed (issuer
and subject
fields are the same). Self-signed certificates serve as certification authorities, which need to be explicitly trusted. However, this certificate is not in the list of trusted certificates.
Security perspective
The certificate could be issued by anyone so the information contained in the certificate is not reliable (there can be written almost anything, so it may look like a certificate of a well-known company while it is certificate of a fraud).
Consequences
If you trust the certificate without verifying the issuer, you may trust the certificates, which do not contain trustworthy information.
Next steps
Use self-signed certificates only for test purposes. Otherwise, let your certificate to be signed by a recognized certification authority.
Original documentation:
The passed certificate is self-signed and the same certificate cannot be found in the list of trusted certificates. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify endpoint.crt
Corresponding errors:
- GnuTLS/GNUTLS_CERT_SIGNER_NOT_FOUND
- Botan/CANNOT_ESTABLISH_TRUST
- mbedTLS/MBEDTLS_X509_BADCERT_NOT_TRUSTED
Original documentation:
The certificate chain could be built up using the untrusted certificates but the root could not be found locally. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -untrusted ca.crt endpoint.crt
Corresponding errors:
- GnuTLS/GNUTLS_CERT_SIGNER_NOT_FOUND
- Botan/CANNOT_ESTABLISH_TRUST
- mbedTLS/MBEDTLS_X509_BADCERT_NOT_TRUSTED
Original documentation:
The certificate chain length is greater than the supplied maximum depth. Unused. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile subca.crt -untrusted subca.crt -verify_depth 0 endpoint.crt
Original documentation:
The CRL of a certificate could not be found. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -crl_check -CAfile ca.crt endpoint.crt
Original documentation:
Unable to get CRL issuer certificate. (source)
Original documentation:
CRL path validation error. (source)
Original documentation:
Different CRL scope. (source)
Original documentation:
No signatures could be verified because the chain contains only one certificate and it is not self signed. (source)
Original documentation:
Path loop. (source)
Unused: Is actively used in the code once in function check_issued in file x509_vfy.c, but cannot be returned outside of that function.
Original documentation:
Returned by the verify callback to indicate that the certificate is not recognized by the OCSP responder. (source)
Original documentation:
Not used as of OpenSSL 1.1.0 as a result of the deprecation of the -issuer_checks option. (source)
Unused: The documentation states that the error code is not used.
Original documentation:
Not used as of OpenSSL 1.1.0 as a result of the deprecation of the -issuer_checks option. (source)
Unused: The documentation states that the error code is not used.
Original documentation:
Not used as of OpenSSL 1.1.0 as a result of the deprecation of the -issuer_checks option. (source)
Unused: The documentation states that the error code is not used.
Original documentation:
Returned by the verify callback to indicate OCSP verification failed. (source)
Basic extension errors
Errors related to extensions in general or to the BasicConstraints standard extension.
Relevant links: Certificate Extensions (RFC 5280), BasicConstraints Extension (RFC 5280)
Original documentation:
Unsupported extension feature. (source)
Unused: As of now only defined in the code but not used.
Original documentation:
A CA certificate is invalid. Either it is not a CA or its extensions are not consistent with the supplied purpose. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt -untrusted subca.crt endpoint.crt
Corresponding errors:
- GnuTLS/GNUTLS_CERT_SIGNER_NOT_CA
- Botan/CA_CERT_NOT_FOR_CERT_ISSUER
- mbedTLS/MBEDTLS_X509_BADCERT_NOT_TRUSTED
Redesigned documentation:
The allowed length of the certification path was exceeded.
Explanation
To validate the signature of the given certificate, we need to obtain public key of the issuer from the issuer certificate. Then we have to validate also signature of the issuer certificate, so we need to obtain a certificate of its issuer. The process continues until trusted anchor (usually top-level Certification Authority) is reached. The obtained chain of the certificates is called certification path. The maximal length of the certification path is determined by the field pathLenConstraint
in the BasicConstraints
extension (meaningful only for CA certificates). This limit includes only intermediate certificates, the first (CA certificate) and the last (target certificate) certificates are excluded.
Security perspective
If the certificate path is exceeded, there is a possibility that CA, which is allowed to issue only end entity certificates, issued a certificate to a Certification Authority.
Next steps
Find the certificate, which has exceeded the certification path and set the pathLenConstraint
field in the BasicConstraints
extension properly.
Original documentation:
The basicConstraints pathlength parameter has been exceeded. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt -untrusted subca1.crt -untrusted subca2.crt endpoint.crt
Corresponding errors:
- Botan/CERT_CHAIN_TOO_LONG
- GnuTLS/GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE
- mbedTLS/MBEDTLS_X509_BADCERT_NOT_TRUSTED
Redesigned documentation:
Either critical extension was not recognized, or information in critical extension could not be processed.
Explanation
Certificate extensions can be used for incorporating additional information into a certificate. The extensions can be critical or non-critical (determined by critical
field for every extension in the certificate). All extensions marked as critical must be processed. If a system, which processes a certificate, cannot recognize a critical extension, it must reject the certificate. The certificate has to be rejected also when the system is unable to process the information contained in the critical extension.
Security perspective
An extension can carry arbitrary information, and marking it as critical means that it is crucial to process it. If it cannot be processed, there is a security risk that a certificate’s key will be used in a manner it must not be, e.g., that a certificate’s key will be used for another purpose that it was aimed or that a Certification Authority will issue a certificate for subject name for which it is not allowed to issue certificates, or many other security risks.
Consequences
If you ignore critical extensions that cannot be processed, it may result in unauthorized use of the certificate.
Next steps
Make sure that only necessary extensions are marked as critical and that the values of critical extensions are meaningful. It is recommended to use standard extensions (specified in the RFC 5280). Marking non-standard extensions as critical may cause problems in the general context.
Original documentation:
Unhandled critical extension. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt endpoint.crt
Corresponding errors:
Original documentation:
Unhandled critical CRL extension. (source)
Original documentation:
Invalid or inconsistent certificate extension. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt endpoint.crt
Name related errors
Errors signalizing problems with either hostname verification, NameConstaints standard extension or IP Address Delegation extension.
Relevant links: NameConstaints extension (RFC 5280), IP Address Delegation extension (RFC 3779), Certificate Common Name (RFC 5280)
Redesigned documentation:
The requested hostname does not match the subject name in the certificate.
Explanation
Information about the certificate’s holder (an entity that is associated with the certificate’s public key) is held in subject
field and/or in the subjectAltName
extension. In this case, the certificate was issued to the entity specified in those fields, but it is different than the server hostname.
Security perspective
The server pretends to be another server. It can be caused by an attacker who may want to steal your information shared with the server (e.g., username and password). Another reason can be a misconfiguration of the server or incomplete information in the certificate.
Consequences
If you access another server than you think, you may receive wrong or malicious content. Moreover, all information provided to this server can be misused.
Next steps
Check whether all possible hostnames are listed in the certificate, either in the subject
field or in the subjectAltName
extension (e.g., ’example.com’ and also ‘www.example.com’). Try to redirect all associated traffic to the hostname indicated in the subject
field or in the subjectAltName
extension (e.g., redirect ‘example.com’ to ‘www.example.com’).
Original documentation:
Hostname mismatch. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt -verify_hostname www.crocs.muni.cz endpoint.crt
Corresponding errors:
- Botan/CERT_NAME_NOMATCH
- mbedTLS/MBEDTLS_X509_BADCERT_CN_MISMATCH
Original documentation:
Email address mismatch. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt -verify_email crocs@muni.cz endpoint.crt
Original documentation:
IP address mismatch. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt -verify_ip 192.168.0.0. endpoint.crt
Original documentation:
Permitted subtree violation. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt endpoint.crt
Corresponding errors:
- Botan/NAME_CONSTRAINT_ERROR
- GnuTLS/GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE
- mbedTLS/MBEDTLS_X509_BADCERT_NOT_TRUSTED
Original documentation:
Excluded subtree violation. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt endpoint.crt
Corresponding errors:
Original documentation:
Name constraints minimum and maximum not supported. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt endpoint.crt
Original documentation:
Unsupported name constraint type. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt endpoint.crt
Original documentation:
Unsupported or invalid name constraint syntax. (source)
Unused: As of now only defined in the code but not used.
Original documentation:
Unsupported or invalid name syntax. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt endpoint.crt
Original documentation:
RFC 3779 resource not subset of parent's resources. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt endpoint.crt
Usage and policy errors
Errors related to standard extensions CertificatePolicies, KeyUsage and ExtendedKeyUsage.
Relevant links: KeyUsage extension (RFC5280), ExtendedKeyUsage extension (RFC5280), CertificatePolicies extension (RFC5280)
Redesigned documentation:
The certificate’s key is being used for another purpose than it is allowed.
Explanation
Certificates can be used for various purposes. It might be desirable to use a certificate only for specific purpose(s). It is achieved by KeyUsage extension, which identifies 9 usages of the certificate. End entity certificates can contain also ExtKeyUsageSyntax extension, which indicates different usages of the certificate’s key than the previous extension. If both extensions are used, the certificate must be used only for purposes consistent with both of them.
Security perspective
The wrong use of the key can be caused by malicious intent or by mistake.
Next steps
Check both extensions whether contain purposes, for which the certificate is used.
Original documentation:
The supplied certificate cannot be used for the specified purpose. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt -purpose sslserver endpoint.crt
Corresponding errors:
- GnuTLS/GNUTLS_CERT_PURPOSE_MISMATCH
Original documentation:
The root CA is marked to reject the specified purpose. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -purpose sslserver -CAfile sca.crt endpoint.crt
Original documentation:
Invalid or inconsistent certificate policy extension. (source)
Original documentation:
No explicit policy. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt -policy_check -explicit_policy -policy 1.3.6.1.4.1.5484.1.10.99.1.0 endpoint.crt
Original documentation:
Key usage does not include CRL signing. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt -crl_check -CRLfile ca.crl endpoint.crt
Original documentation:
Key usage does not include digital signature. (source)
Original documentation:
Not used as of OpenSSL 1.1.0 as a result of the deprecation of the -issuer_checks option. (source)
Unused: The documentation states that the error code is not used.
Algorithm related errors
Various errors signalizing usage of invalid or deprecated algorithms.
Relevant links: Algorithm and Key Size Profile for PKI (RFC 7935), Suite B Profile for TLS (RFC 6460)
Original documentation:
EE certificate key too weak. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt -auth_level 1 endpoint.crt
Corresponding errors:
- mbedTLS/MBEDTLS_X509_BADCERT_BAD_KEY
Original documentation:
CA certificate key too weak. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt -auth_level 1 endpoint.crt
Corresponding errors:
- Botan/SIGNATURE_METHOD_TOO_WEAK
- mbedTLS/MBEDTLS_X509_BADCERT_BAD_KEY
Original documentation:
CA signature digest algorithm too weak. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt -auth_level 3 endpoint.crt
Corresponding errors:
- Botan/UNTRUSTED_HASH
- mbedTLS/MBEDTLS_X509_BADCERT_BAD_MD
Original documentation:
Suite B: certificate version invalid. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt -suiteB_128_only endpoint.crt
Original documentation:
Suite B: invalid public key algorithm. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt -suiteB_192 endpoint.crt
Original documentation:
Suite B: invalid ECC curve. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt -suiteB_128_only endpoint.crt
Original documentation:
Suite B: invalid signature algorithm. (source)
Original documentation:
Suite B: curve not allowed for this LOS. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt -suiteB_192 endpoint.crt
Original documentation:
Suite B: cannot sign P-384 with P-256. (source)
Formatting errors
These errors occur when a field of the certificate/CRL contains invalid values or is badly formatted.
Relevant links: Certificate Signature (RFC 5280), Certificate Time formatting (RFC 5280), Certificate Signature Algorithm (RFC 5280)
Original documentation:
The signature of the certificate is invalid. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt endpoint.crt
Corresponding errors:
- Botan/SIGNATURE_ERROR
- GnuTLS/GNUTLS_CERT_SIGNATURE_FAILURE
- mbedTLS/MBEDTLS_X509_BADCERT_NOT_TRUSTED
Original documentation:
The signature of the certificate is invalid. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt -CRLfile ca.crl -crl_check endpoint.crt
Corresponding errors:
Original documentation:
The certificate notBefore field contains an invalid time. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt endpoint.crt
Original documentation:
The certificate notAfter field contains an invalid time. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt endpoint.crt
Original documentation:
The CRL lastUpdate field contains an invalid time. (source)
Original documentation:
The CRL nextUpdate field contains an invalid time. (source)
Original documentation:
The certificate signature could not be decrypted. This means that the actual signature value could not be determined rather than it not matching the expected value, this is only meaningful for RSA keys. (source)
Original documentation:
The CRL signature could not be decrypted: this means that the actual signature value could not be determined rather than it not matching the expected value. Unused. (source)
Unused: As of now only defined in the code but not used. Also marked as unused in the docs.
Original documentation:
The public key in the certificate SubjectPublicKeyInfo could not be read. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt endpoint.crt
Original documentation:
Issuer certificate doesn't have a public key. (source)
Original documentation:
Subject signature algorithm and issuer public key algorithm mismatch (source)
Uncategorized errors
These errors are not yet categorized, deprecated or not used at all.
Original documentation:
Proxy certificates not allowed, please use -allow_proxy_certs. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt endpoint.crt
Original documentation:
Invalid non-CA certificate has CA markings. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -allow_proxy_certs -CAfile ca.crt endpoint.crt
Original documentation:
Proxy path length constraint exceeded. (source)
Original documentation:
Proxy certificate name violation. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -allow_proxy_certs -CAfile ca.crt -untrusted endpoint.crt proxy.crt
Original documentation:
Invalid certificate verification context. (source)
Original documentation:
Issuer certificate lookup error. (source)
Original documentation:
An error occurred trying to allocate memory. This should never happen. (source)
Original documentation:
Application verification failure. Unused. (source)
Original documentation:
DANE TLSA authentication is enabled, but no TLSA records matched the certificate chain. This error is only possible in s_client(1). (source)
Original documentation:
Certificate Transparency required, but no valid SCTs found. (source)
Original documentation:
Returned by the verify callback to indicate an OCSP verification is needed. (source)
Original documentation:
Unspecified error; should not happen. (source)
Original documentation:
Proxy certificate subject is invalid. It MUST be the same as the issuer with a single CN component added. (source)
Unused: This code is not even defined in the code. It was in OpenSSL 1.1.1 docs, but in current master docs isn't.
Original documentation:
The operation was successful. (source)
Example certificate
Download the certificate archive and validate the contents using a command indicated below. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub.
Validate with: openssl verify -CAfile ca.crt endpoint.crt
Corresponding errors:
- Botan/VERIFIED
About the project
The project is developed at the Centre for Research on Cryptography and Security (CRoCS) at Masaryk University, Brno, Czech Republic by Martin Ukrop, Pavol Žáčik, Eric Valčík with the help of Michaela Balážová and Matěj Grabovský. For more details, see the ReadMe file in the project repository on GitHub.
The authors are grateful for the financial support by and Red Hat Czech and Kiwi.com.