Making X.509 errors usable.

Validating X.509 certificates correctly turns out to be pretty complicated (e.g. Georgiev2012, Ukrop2019). Yet certificate validation is absolutely crucial for secure communication on the Internet (think TLS).

Our goal is to simplify the ecosystem by consolidating the errors and their documentation (similarly to web documentation) and by explaining better what the validation errors mean.

For every error, we aim to provide an example certificate ( ), documentation from OpenSSL ( , deprecated or unused denoted by ) and other TLS libraries ( , , ). In the future, we plan the possibility of reorganization based on the other libraries (currently, the web is organized by OpenSSL), adding the error frequencies based on IP-wide scans and elaborating on the consequences of individual errors.

Multiple libraries

Our consolidated taxonomy aims for eight most used TLS-enabled libraries. The main structure is based on OpenSSL as it is by far the most used library in the domain of TLS.

Error mapping

Further details

We extend the existing research on security, TLS and documentation design. Details are described in the frequently asked questions on a separate page.

FAQ with details

Feedback welcome!

Like the project? Think it's useless? Found something not working? Please let us know, we are grateful for all feedback.

GitHub issues Email us

Time validity errors

Errors occuring when a certificate is outside its validity period or when it is revoked by its CA.
Relevant links: Certificate Validity (RFC 5280), Certificate Revocation (RFC 5280)

X509_­V_­ERR_­CERT_­NOT_­YET_­VALID

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile ca.crt endpoint.crt
  • GnuTLS: certtool --verify --load-ca-certificate ca.crt --infile endpoint.crt
  • Botan: botan cert_verify endpoint.crt ca.crt
  • mbedTLS: mbedtls/programs/x509/cert_app mode=file filename=/endpoint.crt ca_file=/ca.crt

OpenSSL: X509_­V_­ERR_­CERT_­NOT_­YET_­VALID (source)

The certificate is not yet valid: the notBefore date is after the current time.

GnuTLS: GNUTLS_CERT_NOT_ACTIVATED (source)

The certificate is not yet activated.

Botan: CERT_NOT_YET_VALID (source)

Certificate is not yet valid

mbedTLS: MBEDTLS_X509_BADCERT_FUTURE (source)

The certificate validity starts in the future

X509_­V_­ERR_­CERT_­HAS_­EXPIRED

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile ca.crt endpoint.crt
  • GnuTLS: certtool --verify --load-ca-certificate ca.crt --infile endpoint.crt
  • Botan: botan cert_verify endpoint.crt ca.crt
  • mbedTLS: mbedtls/programs/x509/cert_app mode=file filename=/endpoint.crt ca_file=/ca.crt

OpenSSL: X509_­V_­ERR_­CERT_­HAS_­EXPIRED (source)

The certificate has expired: that is the notAfter date is before the current time.

GnuTLS: GNUTLS_CERT_EXPIRED (source)

The certificate has expired.

Botan: CERT_HAS_EXPIRED (source)

Certificate has expired

mbedTLS: MBEDTLS_X509_BADCERT_EXPIRED (source)

The certificate validity has expired

X509_­V_­ERR_­CRL_­NOT_­YET_­VALID

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile ca.crt -CRLfile ca.crl -crl_check endpoint.crt
  • GnuTLS: certtool --load-ca-certificate ca.crt --infile ca.crl --verify-crl
  • mbedTLS: mbedtls/programs/x509/cert_app mode=file filename=endpoint.crt ca_file=ca.crt crl_file=ca.crl

OpenSSL: X509_­V_­ERR_­CRL_­NOT_­YET_­VALID (source)

The CRL is not yet valid.

GnuTLS: GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE (source)

The revocation data have a future issue date.

mbedTLS: MBEDTLS_X509_BADCRL_FUTURE (source)

The CRL is from the future

X509_­V_­ERR_­CRL_­HAS_­EXPIRED

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile ca.crt -CRLfile ca.crl -crl_check endpoint.crt
  • GnuTLS: certtool --load-ca-certificate ca.crt --infile ca.crl --verify-crl
  • mbedTLS: mbedtls/programs/x509/cert_app mode=file filename=endpoint.crt ca_file=ca.crt crl_file=ca.crl

OpenSSL: X509_­V_­ERR_­CRL_­HAS_­EXPIRED (source)

The CRL has expired.

GnuTLS: GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED (source)

The revocation data are old and have been superseded.

mbedTLS: MBEDTLS_X509_BADCRL_EXPIRED (source)

The CRL is expired

X509_­V_­ERR_­CERT_­REVOKED

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile ca.crt -CRLfile ca.crl -crl_check endpoint.crt
  • GnuTLS: certtool --verify --load-ca-certificate ca.crt --infile endpoint.crt
  • mbedTLS: mbedtls/programs/x509/cert_app mode=file filename=/endpoint.crt ca_file=/ca.crt crl_file=/ca.crl

OpenSSL: X509_­V_­ERR_­CERT_­REVOKED (source)

The certificate has been revoked.

GnuTLS: GNUTLS_CERT_REVOKED (source)

Certificate is revoked by its authority. In X.509 this will be set only if CRLs are checked.

Botan: CERT_IS_REVOKED (source)

Certificate is revoked

mbedTLS: MBEDTLS_X509_BADCERT_REVOKED (source)

The certificate has been revoked (is on a CRL)

These errors occur when the trust chain to the root certificate is not built correctly or fails.
Relevant links: Certificate Paths (RFC 5280), Certificate Revocation Lists (RFC 5280), OCSP (RFC 2560)

X509_­V_­ERR_­UNABLE_­TO_­GET_­ISSUER_­CERT

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile subca.crt -untrusted subca.crt endpoint.crt

OpenSSL: X509_­V_­ERR_­UNABLE_­TO_­GET_­ISSUER_­CERT (source)

The issuer certificate of a looked up certificate could not be found. This normally means the list of trusted certificates is not complete.

X509_­V_­ERR_­UNABLE_­TO_­GET_­ISSUER_­CERT_­LOCALLY

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify endpoint.crt
  • GnuTLS: certtool --verify --infile endpoint.crt
  • Botan: botan cert_verify endpoint.crt

OpenSSL: X509_­V_­ERR_­UNABLE_­TO_­GET_­ISSUER_­CERT_­LOCALLY (source)

The issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found.

GnuTLS: GNUTLS_CERT_SIGNER_NOT_FOUND (source)

The certificate’s issuer is not known. This is the case if the issuer is not included in the trusted certificate list.

Botan: CERT_ISSUER_NOT_FOUND (source)

Certificate issuer not found

mbedTLS: MBEDTLS_X509_BADCERT_NOT_TRUSTED (source)

The certificate is not correctly signed by the trusted CA

X509_­V_­ERR_­DEPTH_­ZERO_­SELF_­SIGNED_­CERT

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify endpoint.crt
  • GnuTLS: certtool --verify --infile endpoint.crt
  • Botan: botan cert_verify endpoint.crt

OpenSSL: X509_­V_­ERR_­DEPTH_­ZERO_­SELF_­SIGNED_­CERT (source)

The passed certificate is self-signed and the same certificate cannot be found in the list of trusted certificates.

GnuTLS: GNUTLS_CERT_SIGNER_NOT_FOUND (source)

The certificate’s issuer is not known. This is the case if the issuer is not included in the trusted certificate list.

Botan: CANNOT_ESTABLISH_TRUST (source)

Cannot establish trust

mbedTLS: MBEDTLS_X509_BADCERT_NOT_TRUSTED (source)

The certificate is not correctly signed by the trusted CA

X509_­V_­ERR_­SELF_­SIGNED_­CERT_­IN_­CHAIN

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -untrusted ca.crt endpoint.crt
  • GnuTLS: certtool --verify --infile chain.crt
  • Botan: botan cert_verify chain.crt

OpenSSL: X509_­V_­ERR_­SELF_­SIGNED_­CERT_­IN_­CHAIN (source)

The certificate chain could be built up using the untrusted certificates but the root could not be found locally.

GnuTLS: GNUTLS_CERT_SIGNER_NOT_FOUND (source)

The certificate’s issuer is not known. This is the case if the issuer is not included in the trusted certificate list.

Botan: CANNOT_ESTABLISH_TRUST (source)

Cannot establish trust

mbedTLS: MBEDTLS_X509_BADCERT_NOT_TRUSTED (source)

The certificate is not correctly signed by the trusted CA

X509_­V_­ERR_­CERT_­CHAIN_­TOO_­LONG

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile subca.crt -untrusted subca.crt -verify_depth 0 endpoint.crt

OpenSSL: X509_­V_­ERR_­CERT_­CHAIN_­TOO_­LONG (source)

The certificate chain length is greater than the supplied maximum depth. Unused.

X509_­V_­ERR_­UNABLE_­TO_­GET_­CRL

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -crl_check -CAfile ca.crt endpoint.crt

OpenSSL: X509_­V_­ERR_­UNABLE_­TO_­GET_­CRL (source)

The CRL of a certificate could not be found.

X509_­V_­ERR_­UNABLE_­TO_­GET_­CRL_­ISSUER

OpenSSL: X509_­V_­ERR_­UNABLE_­TO_­GET_­CRL_­ISSUER (source)

Unable to get CRL issuer certificate.

X509_­V_­ERR_­CRL_­PATH_­VALIDATION_­ERROR

OpenSSL: X509_­V_­ERR_­CRL_­PATH_­VALIDATION_­ERROR (source)

CRL path validation error.

X509_­V_­ERR_­DIFFERENT_­CRL_­SCOPE

OpenSSL: X509_­V_­ERR_­DIFFERENT_­CRL_­SCOPE (source)

Different CRL scope.

X509_­V_­ERR_­UNABLE_­TO_­VERIFY_­LEAF_­SIGNATURE

OpenSSL: X509_­V_­ERR_­UNABLE_­TO_­VERIFY_­LEAF_­SIGNATURE (source)

No signatures could be verified because the chain contains only one certificate and it is not self signed.

X509_­V_­ERR_­PATH_­LOOP

OpenSSL: X509_­V_­ERR_­PATH_­LOOP (source)

Path loop.

X509_­V_­ERR_­OCSP_­CERT_­UNKNOWN

OpenSSL: X509_­V_­ERR_­OCSP_­CERT_­UNKNOWN (source)

Returned by the verify callback to indicate that the certificate is not recognized by the OCSP responder.

X509_­V_­ERR_­AKID_­SKID_­MISMATCH

OpenSSL: X509_­V_­ERR_­AKID_­SKID_­MISMATCH (source)

Not used as of OpenSSL 1.1.0 as a result of the deprecation of the -issuer_checks option.

X509_­V_­ERR_­AKID_­ISSUER_­SERIAL_­MISMATCH

OpenSSL: X509_­V_­ERR_­AKID_­ISSUER_­SERIAL_­MISMATCH (source)

Not used as of OpenSSL 1.1.0 as a result of the deprecation of the -issuer_checks option.

X509_­V_­ERR_­SUBJECT_­ISSUER_­MISMATCH

OpenSSL: X509_­V_­ERR_­SUBJECT_­ISSUER_­MISMATCH (source)

Not used as of OpenSSL 1.1.0 as a result of the deprecation of the -issuer_checks option.

X509_­V_­ERR_­OCSP_­VERIFY_­FAILED

OpenSSL: X509_­V_­ERR_­OCSP_­VERIFY_­FAILED (source)

Returned by the verify callback to indicate OCSP verification failed.

Basic extension errors

Errors related to extensions in general or to the BasicConstraints standard extension.
Relevant links: Certificate Extensions (RFC 5280), BasicConstraints Extension (RFC 5280)

X509_­V_­ERR_­UNSUPPORTED_­EXTENSION_­FEATURE

OpenSSL: X509_­V_­ERR_­UNSUPPORTED_­EXTENSION_­FEATURE (source)

Unsupported extension feature.

X509_­V_­ERR_­INVALID_­CA

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile ca.crt -untrusted subca.crt endpoint.crt
  • GnuTLS: certtool --verify --load-ca-certificate ca.crt --infile chain.crt
  • Botan: botan cert_verify endpoint.crt subca.crt ca.crt
  • mbedTLS: mbedtls/programs/x509/cert_app mode=file filename=endpoint.crt ca_file=ca.crt

OpenSSL: X509_­V_­ERR_­INVALID_­CA (source)

A CA certificate is invalid. Either it is not a CA or its extensions are not consistent with the supplied purpose.

GnuTLS: GNUTLS_CERT_SIGNER_NOT_CA (source)

The certificate’s signer was not a CA. This may happen if this was a version 1 certificate, which is common with some CAs, or a version 3 certificate without the basic constrains extension.

Botan: CA_CERT_NOT_FOR_CERT_ISSUER (source)

CA certificate not allowed to issue certs

mbedTLS: MBEDTLS_X509_BADCERT_NOT_TRUSTED (source)

The certificate is not correctly signed by the trusted CA

X509_­V_­ERR_­PATH_­LENGTH_­EXCEEDED

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile ca.crt -untrusted subca1.crt -untrusted subca2.crt endpoint.crt
  • GnuTLS: certtool --verify --load-ca-certificate ca.crt --infile chain.crt
  • Botan: botan cert_verify endpoint.crt subca1.crt subca2.crt ca.crt

OpenSSL: X509_­V_­ERR_­PATH_­LENGTH_­EXCEEDED (source)

The basicConstraints pathlength parameter has been exceeded.

GnuTLS: GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE (source)

The certificate’s signer constraints were violated.

Botan: CERT_CHAIN_TOO_LONG (source)

Certificate chain too long

mbedTLS: MBEDTLS_X509_BADCERT_NOT_TRUSTED (source)

The certificate is not correctly signed by the trusted CA

X509_­V_­ERR_­UNHANDLED_­CRITICAL_­EXTENSION

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile ca.crt endpoint.crt
  • GnuTLS: certtool --verify --load-ca-certificate ca.crt --infile endpoint.crt
  • Botan: botan cert_verify endpoint.crt ca.crt
  • mbedTLS: mbedtls/programs/x509/cert_app mode=file filename=endpoint.crt ca_file=ca.crt

OpenSSL: X509_­V_­ERR_­UNHANDLED_­CRITICAL_­EXTENSION (source)

Unhandled critical extension.

GnuTLS: GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS (source)

The certificate has extensions marked as critical which are not supported.

Botan: UNKNOWN_CRITICAL_EXTENSION (source)

Unknown critical extension encountered

X509_­V_­ERR_­UNHANDLED_­CRITICAL_­CRL_­EXTENSION

OpenSSL: X509_­V_­ERR_­UNHANDLED_­CRITICAL_­CRL_­EXTENSION (source)

Unhandled critical CRL extension.

X509_­V_­ERR_­INVALID_­EXTENSION

OpenSSL: X509_­V_­ERR_­INVALID_­EXTENSION (source)

Invalid or inconsistent certificate extension.

Errors signalizing problems with either hostname verification, NameConstaints standard extension or IP Address Delegation extension.
Relevant links: NameConstaints extension (RFC 5280), IP Address Delegation extension (RFC 3779), Certificate Common Name (RFC 5280)

X509_­V_­ERR_­HOSTNAME_­MISMATCH

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile ca.crt -verify_hostname www.crocs.muni.cz endpoint.crt

OpenSSL: X509_­V_­ERR_­HOSTNAME_­MISMATCH (source)

Hostname mismatch.

Botan: CERT_NAME_NO_MATCH (source)

Certificate does not match provided name

mbedTLS: MBEDTLS_X509_BADCERT_CN_MISMATCH (source)

The certificate Common Name (CN) does not match with the expected CN

X509_­V_­ERR_­EMAIL_­MISMATCH

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile ca.crt -verify_email crocs@muni.cz endpoint.crt

OpenSSL: X509_­V_­ERR_­EMAIL_­MISMATCH (source)

Email address mismatch.

X509_­V_­ERR_­IP_­ADDRESS_­MISMATCH

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile ca.crt -verify_ip 192.168.0.0. endpoint.crt

OpenSSL: X509_­V_­ERR_­IP_­ADDRESS_­MISMATCH (source)

IP address mismatch.

X509_­V_­ERR_­PERMITTED_­VIOLATION

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile ca.crt endpoint.crt
  • GnuTLS: certtool --verify --load-ca-certificate ca.crt --infile endpoint.crt
  • Botan: botan cert_verify endpoint.crt ca.crt

OpenSSL: X509_­V_­ERR_­PERMITTED_­VIOLATION (source)

Permitted subtree violation.

GnuTLS: GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE (source)

The certificate’s signer constraints were violated.

Botan: NAME_CONSTRAINT_ERROR (source)

Certificate does not pass name constraint

mbedTLS: MBEDTLS_X509_BADCERT_NOT_TRUSTED (source)

The certificate is not correctly signed by the trusted CA

X509_­V_­ERR_­EXCLUDED_­VIOLATION

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile ca.crt endpoint.crt
  • GnuTLS: certtool --verify --load-ca-certificate ca.crt --infile endpoint.crt

OpenSSL: X509_­V_­ERR_­EXCLUDED_­VIOLATION (source)

Excluded subtree violation.

GnuTLS: GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE (source)

The certificate’s signer constraints were violated.

mbedTLS: MBEDTLS_X509_BADCERT_NOT_TRUSTED (source)

The certificate is not correctly signed by the trusted CA

X509_­V_­ERR_­SUBTREE_­MINMAX

OpenSSL: X509_­V_­ERR_­SUBTREE_­MINMAX (source)

Name constraints minimum and maximum not supported.

X509_­V_­ERR_­UNSUPPORTED_­CONSTRAINT_­TYPE

OpenSSL: X509_­V_­ERR_­UNSUPPORTED_­CONSTRAINT_­TYPE (source)

Unsupported name constraint type.

X509_­V_­ERR_­UNSUPPORTED_­CONSTRAINT_­SYNTAX

OpenSSL: X509_­V_­ERR_­UNSUPPORTED_­CONSTRAINT_­SYNTAX (source)

Unsupported or invalid name constraint syntax.

X509_­V_­ERR_­UNSUPPORTED_­NAME_­SYNTAX

OpenSSL: X509_­V_­ERR_­UNSUPPORTED_­NAME_­SYNTAX (source)

Unsupported or invalid name syntax.

X509_­V_­ERR_­UNNESTED_­RESOURCE

OpenSSL: X509_­V_­ERR_­UNNESTED_­RESOURCE (source)

RFC 3779 resource not subset of parent's resources.

Usage and policy errors

Errors related to standard extensions CertificatePolicies, KeyUsage and ExtendedKeyUsage.
Relevant links: KeyUsage extension (RFC5280), ExtendedKeyUsage extension (RFC5280), CertificatePolicies extension (RFC5280)

X509_­V_­ERR_­INVALID_­PURPOSE

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile ca.crt -purpose sslserver endpoint.crt
  • GnuTLS: certtool --verify --load-ca-certificate ca.crt --infile endpoint.crt --verify-purpose 1.3.6.1.5.5.7.3.1

OpenSSL: X509_­V_­ERR_­INVALID_­PURPOSE (source)

The supplied certificate cannot be used for the specified purpose.

GnuTLS: GNUTLS_CERT_PURPOSE_MISMATCH (source)

The certificate or an intermediate does not match the intended purpose (extended key usage).

X509_­V_­ERR_­CERT_­REJECTED

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -purpose sslserver -CAfile sca.crt endpoint.crt

OpenSSL: X509_­V_­ERR_­CERT_­REJECTED (source)

The root CA is marked to reject the specified purpose.

X509_­V_­ERR_­INVALID_­POLICY_­EXTENSION

OpenSSL: X509_­V_­ERR_­INVALID_­POLICY_­EXTENSION (source)

Invalid or inconsistent certificate policy extension.

X509_­V_­ERR_­NO_­EXPLICIT_­POLICY

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile ca.crt -policy_check -explicit_policy -policy 1.3.6.1.4.1.5484.1.10.99.1.0 endpoint.crt

OpenSSL: X509_­V_­ERR_­NO_­EXPLICIT_­POLICY (source)

No explicit policy.

X509_­V_­ERR_­KEYUSAGE_­NO_­CRL_­SIGN

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile ca.crt -crl_check -CRLfile ca.crl endpoint.crt
  • GnuTLS: certtool --verify-crl --load-ca-certificate ca.crt < ca.crl

OpenSSL: X509_­V_­ERR_­KEYUSAGE_­NO_­CRL_­SIGN (source)

Key usage does not include CRL signing.

X509_­V_­ERR_­KEYUSAGE_­NO_­DIGITAL_­SIGNATURE

OpenSSL: X509_­V_­ERR_­KEYUSAGE_­NO_­DIGITAL_­SIGNATURE (source)

Key usage does not include digital signature.

X509_­V_­ERR_­KEYUSAGE_­NO_­CERTSIGN

OpenSSL: X509_­V_­ERR_­KEYUSAGE_­NO_­CERTSIGN (source)

Not used as of OpenSSL 1.1.0 as a result of the deprecation of the -issuer_checks option.

Various errors signalizing usage of invalid or deprecated algorithms.
Relevant links: Algorithm and Key Size Profile for PKI (RFC 7935), Suite B Profile for TLS (RFC 6460)

X509_­V_­ERR_­EE_­KEY_­TOO_­SMALL

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile ca.crt -auth_level 1 endpoint.crt
  • mbedTLS: mbedtls/programs/x509/cert_app mode=file filename=endpoint.crt ca_file=ca.crt

OpenSSL: X509_­V_­ERR_­EE_­KEY_­TOO_­SMALL (source)

EE certificate key too weak.

mbedTLS: MBEDTLS_X509_BADCERT_BAD_KEY (source)

The certificate is signed with an unacceptable key (eg bad curve, RSA too short).

X509_­V_­ERR_­CA_­KEY_­TOO_­SMALL

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile ca.crt -auth_level 1 endpoint.crt
  • Botan: botan cert_verify endpoint.crt ca.crt
  • mbedTLS: mbedtls/programs/x509/cert_app mode=file filename=endpoint.crt ca_file=ca.crt

OpenSSL: X509_­V_­ERR_­CA_­KEY_­TOO_­SMALL (source)

CA certificate key too weak.

Botan: SIGNATURE_METHOD_TOO_WEAK (source)

Signature method too weak

mbedTLS: MBEDTLS_X509_BADCERT_BAD_KEY (source)

The certificate is signed with an unacceptable key (eg bad curve, RSA too short).

X509_­V_­ERR_­CA_­MD_­TOO_­WEAK

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile ca.crt -auth_level 3 endpoint.crt
  • Botan: botan cert_verify endpoint.crt ca.crt
  • mbedTLS: mbedtls/programs/x509/cert_app mode=file filename=endpoint.crt ca_file=ca.crt

OpenSSL: X509_­V_­ERR_­CA_­MD_­TOO_­WEAK (source)

CA signature digest algorithm too weak.

Botan: UNTRUSTED_HASH (source)

Hash function used is considered too weak for security

mbedTLS: MBEDTLS_X509_BADCERT_BAD_MD (source)

The certificate is signed with an unacceptable hash.

X509_­V_­ERR_­SUITE_­B_­INVALID_­VERSION

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile ca.crt -suiteB_128_only endpoint.crt

OpenSSL: X509_­V_­ERR_­SUITE_­B_­INVALID_­VERSION (source)

Suite B: certificate version invalid.

X509_­V_­ERR_­SUITE_­B_­INVALID_­ALGORITHM

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile ca.crt -suiteB_192 endpoint.crt

OpenSSL: X509_­V_­ERR_­SUITE_­B_­INVALID_­ALGORITHM (source)

Suite B: invalid public key algorithm.

X509_­V_­ERR_­SUITE_­B_­INVALID_­CURVE

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile ca.crt -suiteB_128_only endpoint.crt

OpenSSL: X509_­V_­ERR_­SUITE_­B_­INVALID_­CURVE (source)

Suite B: invalid ECC curve.

X509_­V_­ERR_­SUITE_­B_­INVALID_­SIGNATURE_­ALGORITHM

OpenSSL: X509_­V_­ERR_­SUITE_­B_­INVALID_­SIGNATURE_­ALGORITHM (source)

Suite B: invalid signature algorithm.

X509_­V_­ERR_­SUITE_­B_­LOS_­NOT_­ALLOWED

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile ca.crt -suiteB_192 endpoint.crt

OpenSSL: X509_­V_­ERR_­SUITE_­B_­LOS_­NOT_­ALLOWED (source)

Suite B: curve not allowed for this LOS.

X509_­V_­ERR_­SUITE_­B_­CANNOT_­SIGN_­P_­384_­WITH_­P_­256

OpenSSL: X509_­V_­ERR_­SUITE_­B_­CANNOT_­SIGN_­P_­384_­WITH_­P_­256 (source)

Suite B: cannot sign P-384 with P-256.

Formatting errors

These errors occur when a field of the certificate/CRL contains invalid values or is badly formatted.
Relevant links: Certificate Signature (RFC 5280), Certificate Time formatting (RFC 5280), Certificate Signature Algorithm (RFC 5280)

X509_­V_­ERR_­CERT_­SIGNATURE_­FAILURE

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile ca.crt endpoint.crt
  • GnuTLS: certtool --verify --load-ca-certificate ca.crt --infile endpoint.crt
  • Botan: botan cert_verify endpoint.crt ca.crt
  • mbedTLS: mbedtls/programs/x509/cert_app mode=file filename=endpoint.crt ca_file=ca.crt

OpenSSL: X509_­V_­ERR_­CERT_­SIGNATURE_­FAILURE (source)

The signature of the certificate is invalid.

GnuTLS: GNUTLS_CERT_SIGNATURE_FAILURE (source)

The signature verification failed.

Botan: SIGNATURE_ERROR (source)

Signature error

mbedTLS: MBEDTLS_X509_BADCERT_NOT_TRUSTED (source)

The certificate is not correctly signed by the trusted CA

X509_­V_­ERR_­CRL_­SIGNATURE_­FAILURE

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile ca.crt -CRLfile ca.crl -crl_check endpoint.crt
  • GnuTLS: certtool --load-ca-certificate ca.crt --verify-crl --infile ca.crl

OpenSSL: X509_­V_­ERR_­CRL_­SIGNATURE_­FAILURE (source)

The signature of the certificate is invalid.

GnuTLS: GNUTLS_CERT_SIGNATURE_FAILURE (source)

The signature verification failed.

X509_­V_­ERR_­ERROR_­IN_­CERT_­NOT_­BEFORE_­FIELD

OpenSSL: X509_­V_­ERR_­ERROR_­IN_­CERT_­NOT_­BEFORE_­FIELD (source)

The certificate notBefore field contains an invalid time.

X509_­V_­ERR_­ERROR_­IN_­CERT_­NOT_­AFTER_­FIELD

OpenSSL: X509_­V_­ERR_­ERROR_­IN_­CERT_­NOT_­AFTER_­FIELD (source)

The certificate notAfter field contains an invalid time.

X509_­V_­ERR_­ERROR_­IN_­CRL_­LAST_­UPDATE_­FIELD

OpenSSL: X509_­V_­ERR_­ERROR_­IN_­CRL_­LAST_­UPDATE_­FIELD (source)

The CRL lastUpdate field contains an invalid time.

X509_­V_­ERR_­ERROR_­IN_­CRL_­NEXT_­UPDATE_­FIELD

OpenSSL: X509_­V_­ERR_­ERROR_­IN_­CRL_­NEXT_­UPDATE_­FIELD (source)

The CRL nextUpdate field contains an invalid time.

X509_­V_­ERR_­UNABLE_­TO_­DECRYPT_­CERT_­SIGNATURE

OpenSSL: X509_­V_­ERR_­UNABLE_­TO_­DECRYPT_­CERT_­SIGNATURE (source)

The certificate signature could not be decrypted. This means that the actual signature value could not be determined rather than it not matching the expected value, this is only meaningful for RSA keys.

X509_­V_­ERR_­UNABLE_­TO_­DECRYPT_­CRL_­SIGNATURE

OpenSSL: X509_­V_­ERR_­UNABLE_­TO_­DECRYPT_­CRL_­SIGNATURE (source)

The CRL signature could not be decrypted: this means that the actual signature value could not be determined rather than it not matching the expected value. Unused.

X509_­V_­ERR_­UNABLE_­TO_­DECODE_­ISSUER_­PUBLIC_­KEY

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile ca.crt endpoint.crt
  • GnuTLS: certtool --verify --load-ca-certificate ca.crt --infile endpoint.crt
  • Botan: botan cert_verify endpoint.crt ca.crt
  • mbedTLS: mbedtls/programs/x509/cert_app mode=file filename=endpoint.crt ca_file=ca.crt

OpenSSL: X509_­V_­ERR_­UNABLE_­TO_­DECODE_­ISSUER_­PUBLIC_­KEY (source)

The public key in the certificate SubjectPublicKeyInfo could not be read.

X509_­V_­ERR_­NO_­ISSUER_­PUBLIC_­KEY

OpenSSL: X509_­V_­ERR_­NO_­ISSUER_­PUBLIC_­KEY (source)

Issuer certificate doesn't have a public key.

X509_­V_­ERR_­SIGNATURE_­ALGORITHM_­MISMATCH

OpenSSL: X509_­V_­ERR_­SIGNATURE_­ALGORITHM_­MISMATCH (source)

Subject signature algorithm and issuer public key algorithm mismatch

Uncategorized errors

These errors are not yet categorized, deprecated or not used at all.

X509_­V_­ERR_­PROXY_­CERTIFICATES_­NOT_­ALLOWED

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile ca.crt endpoint.crt

OpenSSL: X509_­V_­ERR_­PROXY_­CERTIFICATES_­NOT_­ALLOWED (source)

Proxy certificates not allowed, please use -allow_proxy_certs.

X509_­V_­ERR_­INVALID_­NON_­CA

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -allow_proxy_certs -CAfile ca.crt endpoint.crt

OpenSSL: X509_­V_­ERR_­INVALID_­NON_­CA (source)

Invalid non-CA certificate has CA markings.

X509_­V_­ERR_­PROXY_­PATH_­LENGTH_­EXCEEDED

OpenSSL: X509_­V_­ERR_­PROXY_­PATH_­LENGTH_­EXCEEDED (source)

Proxy path length constraint exceeded.

X509_­V_­ERR_­PROXY_­SUBJECT_­NAME_­VIOLATION

OpenSSL: X509_­V_­ERR_­PROXY_­SUBJECT_­NAME_­VIOLATION (source)

Proxy certificate name violation.

X509_­V_­ERR_­INVALID_­CALL

OpenSSL: X509_­V_­ERR_­INVALID_­CALL (source)

Invalid certificate verification context.

X509_­V_­ERR_­STORE_­LOOKUP

OpenSSL: X509_­V_­ERR_­STORE_­LOOKUP (source)

Issuer certificate lookup error.

X509_­V_­ERR_­OUT_­OF_­MEM

OpenSSL: X509_­V_­ERR_­OUT_­OF_­MEM (source)

An error occurred trying to allocate memory. This should never happen.

X509_­V_­ERR_­APPLICATION_­VERIFICATION

OpenSSL: X509_­V_­ERR_­APPLICATION_­VERIFICATION (source)

Application verification failure. Unused.

X509_­V_­ERR_­DANE_­NO_­MATCH

OpenSSL: X509_­V_­ERR_­DANE_­NO_­MATCH (source)

DANE TLSA authentication is enabled, but no TLSA records matched the certificate chain. This error is only possible in s_client(1).

X509_­V_­ERR_­NO_­VALID_­SCTS

OpenSSL: X509_­V_­ERR_­NO_­VALID_­SCTS (source)

Certificate Transparency required, but no valid SCTs found.

X509_­V_­ERR_­OCSP_­VERIFY_­NEEDED

OpenSSL: X509_­V_­ERR_­OCSP_­VERIFY_­NEEDED (source)

Returned by the verify callback to indicate an OCSP verification is needed.

X509_­V_­ERR_­UNSPECIFIED

OpenSSL: X509_­V_­ERR_­UNSPECIFIED (source)

Unspecified error; should not happen.

X509_­V_­ERR_­PROXY_­SUBJECT_­INVALID

OpenSSL: X509_­V_­ERR_­PROXY_­SUBJECT_­INVALID (source)

Proxy certificate subject is invalid. It MUST be the same as the issuer with a single CN component added.

X509_­V_­OK

Example certificate

Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.

  • OpenSSL: openssl verify -CAfile ca.crt endpoint.crt
  • GnuTLS: certtool --verify --load-ca-certificate ca.crt --infile endpoint.crt
  • Botan: botan cert_verify endpoint.crt ca.crt

OpenSSL: X509_­V_­OK (source)

The operation was successful.

Botan: OK (source)

(No detailed documentation provided by the library.)

About the project

CRoCS FI MU

The project is developed at the Centre for Research on Cryptography and Security (CRoCS) at Masaryk University, Brno, Czech Republic by Martin Ukrop, Pavol Žáčik, Eric Valčík with the help of Michaela Balážová and Matěj Grabovský. For more details, see the ReadMe file in the project repository on GitHub.

The authors are grateful for the financial support by and Red Hat Czech and Kiwi.com.