Making X.509 errors usable.
Validating X.509 certificates correctly turns out to be pretty complicated (e.g. Georgiev2012, Ukrop2019). Yet certificate validation is absolutely crucial for secure communication on the Internet (think TLS).
Our goal is to simplify the ecosystem by consolidating the errors and their documentation (similarly to web documentation) and by explaining better what the validation errors mean.
Samples and documentation
For every error, we aim to provide an example certificate ( ), documentation from OpenSSL ( ) and other libraries ( ).
We plan to include the error frequency based on IP-wide scans and detailed explanation of the consequences.
Multiple libraries
Our consolidated taxonomy aims for eight most used TLS-enabled libraries. The main structure is based on OpenSSL as it is by far the most used library in the domain of TLS.
Error mappingFurther details
We extend the existing research on security, TLS and documentation design. Details are described in the frequently asked questions on a separate page.
FAQ with detailsTime validity errors
Errors occuring when a certificate is outside its validity period or when it is revoked by its CA.
Relevant links: Certificate Validity (RFC 5280), Certificate Revocation (RFC 5280)
Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -CAfile ca.crt endpoint.crt - GnuTLS:
certtool --verify --load-ca-certificate ca.crt --infile endpoint.crt
OpenSSL: X509_V_ERR_CERT_NOT_YET_VALID (source)
The certificate is not yet valid: the notBefore date is after the current time.GnuTLS: GNUTLS_CERT_NOT_ACTIVATED (source)
The certificate is not yet activated.Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -CAfile ca.crt endpoint.crt - GnuTLS:
certtool --verify --load-ca-certificate ca.crt --infile endpoint.crt
OpenSSL: X509_V_ERR_CERT_HAS_EXPIRED (source)
The certificate has expired: that is the notAfter date is before the current time.GnuTLS: GNUTLS_CERT_EXPIRED (source)
The certificate has expired.Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -CAfile ca.crt -CRLfile ca.crl -crl_check endpoint.crt - GnuTLS:
certtool --load-ca-certificate ca.crt --infile ca.crl --verify-crl
OpenSSL: X509_V_ERR_CRL_NOT_YET_VALID (source)
The CRL is not yet valid.GnuTLS: GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE (source)
The revocation data have a future issue date.Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -CAfile ca.crt -CRLfile ca.crl -crl_check endpoint.crt - GnuTLS:
certtool --load-ca-certificate ca.crt --infile ca.crl --verify-crl
OpenSSL: X509_V_ERR_CRL_HAS_EXPIRED (source)
The CRL has expired.GnuTLS: GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED (source)
The revocation data are old and have been superseded.Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -CAfile ca.crt -CRLfile ca.crl -crl_check endpoint.crt - GnuTLS:
certtool --verify --load-ca-certificate ca.crt --infile endpoint.crt
OpenSSL: X509_V_ERR_CERT_REVOKED (source)
The certificate has been revoked.GnuTLS: GNUTLS_CERT_REVOKED (source)
Certificate is revoked by its authority. In X.509 this will be set only if CRLs are checked.Trust or chain related errors
These errors occur when the trust chain to the root certificate is not built correctly or fails.
Relevant links: Certificate Paths (RFC 5280), Certificate Revocation Lists (RFC 5280), OCSP (RFC 2560)
Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -CAfile subca.crt -untrusted subca.crt endpoint.crt - GnuTLS:
OpenSSL: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT (source)
The issuer certificate of a looked up certificate could not be found. This normally means the list of trusted certificates is not complete.Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify endpoint.crt - GnuTLS:
certtool --verify --infile endpoint.crt
OpenSSL: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY (source)
The issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found.GnuTLS: GNUTLS_CERT_SIGNER_NOT_FOUND (source)
The certificate’s issuer is not known. This is the case if the issuer is not included in the trusted certificate list.Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify endpoint.crt - GnuTLS:
certtool --verify --infile endpoint.crt
OpenSSL: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT (source)
The passed certificate is self-signed and the same certificate cannot be found in the list of trusted certificates.GnuTLS: GNUTLS_CERT_SIGNER_NOT_FOUND (source)
The certificate’s issuer is not known. This is the case if the issuer is not included in the trusted certificate list.Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -untrusted ca.crt endpoint.crt - GnuTLS:
certtool --verify --infile chain.crt
OpenSSL: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN (source)
The certificate chain could be built up using the untrusted certificates but the root could not be found locally.GnuTLS: GNUTLS_CERT_SIGNER_NOT_FOUND (source)
The certificate’s issuer is not known. This is the case if the issuer is not included in the trusted certificate list.Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -CAfile subca.crt -untrusted subca.crt -verify_depth 0 endpoint.crt - GnuTLS:
OpenSSL: X509_V_ERR_CERT_CHAIN_TOO_LONG (source)
The certificate chain length is greater than the supplied maximum depth. Unused.Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -crl_check -CAfile ca.crt endpoint.crt - GnuTLS:
OpenSSL: X509_V_ERR_UNABLE_TO_GET_CRL (source)
The CRL of a certificate could not be found.OpenSSL: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER (source)
Unable to get CRL issuer certificate.OpenSSL: X509_V_ERR_CRL_PATH_VALIDATION_ERROR (source)
CRL path validation error.OpenSSL: X509_V_ERR_DIFFERENT_CRL_SCOPE (source)
Different CRL scope.OpenSSL: X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE (source)
No signatures could be verified because the chain contains only one certificate and it is not self signed.OpenSSL: X509_V_ERR_PATH_LOOP (source)
Path loop.OpenSSL: X509_V_ERR_OCSP_CERT_UNKNOWN (source)
Returned by the verify callback to indicate that the certificate is not recognized by the OCSP responder.OpenSSL: X509_V_ERR_AKID_SKID_MISMATCH (source)
Not used as of OpenSSL 1.1.0 as a result of the deprecation of the -issuer_checks option.OpenSSL: X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH (source)
Not used as of OpenSSL 1.1.0 as a result of the deprecation of the -issuer_checks option.OpenSSL: X509_V_ERR_SUBJECT_ISSUER_MISMATCH (source)
Not used as of OpenSSL 1.1.0 as a result of the deprecation of the -issuer_checks option.OpenSSL: X509_V_ERR_OCSP_VERIFY_FAILED (source)
Returned by the verify callback to indicate OCSP verification failed.Basic extension errors
Errors related to extensions in general or to the BasicConstraints standard extension.
Relevant links: Certificate Extensions (RFC 5280), BasicConstraints Extension (RFC 5280)
OpenSSL: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE (source)
Unsupported extension feature.Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -CAfile ca.crt -untrusted subca.crt endpoint.crt - GnuTLS:
certtool --verify --load-ca-certificate ca.crt --infile chain.crt
OpenSSL: X509_V_ERR_INVALID_CA (source)
A CA certificate is invalid. Either it is not a CA or its extensions are not consistent with the supplied purpose.GnuTLS: GNUTLS_CERT_SIGNER_NOT_CA (source)
The certificate’s signer was not a CA. This may happen if this was a version 1 certificate, which is common with some CAs, or a version 3 certificate without the basic constrains extension.Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -CAfile ca.crt -untrusted subca1.crt -untrusted subca2.crt endpoint.crt - GnuTLS:
certtool --verify --load-ca-certificate ca.crt --infile chain.crt
OpenSSL: X509_V_ERR_PATH_LENGTH_EXCEEDED (source)
The basicConstraints pathlength parameter has been exceeded.GnuTLS: GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE (source)
The certificate’s signer constraints were violated.OpenSSL: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION (source)
Unhandled critical CRL extension.OpenSSL: X509_V_ERR_INVALID_EXTENSION (source)
Invalid or inconsistent certificate extension.Name related errors
Errors signalizing problems with either hostname verification, NameConstaints standard extension or IP Address Delegation extension.
Relevant links: NameConstaints extension (RFC 5280), IP Address Delegation extension (RFC 3779), Certificate Common Name (RFC 5280)
Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -CAfile ca.crt -verify_hostname www.crocs.muni.cz endpoint.crt - GnuTLS:
OpenSSL: X509_V_ERR_HOSTNAME_MISMATCH (source)
Hostname mismatch.Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -CAfile ca.crt -verify_email crocs@muni.cz endpoint.crt - GnuTLS:
OpenSSL: X509_V_ERR_EMAIL_MISMATCH (source)
Email address mismatch.Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -CAfile ca.crt -verify_ip 192.168.0.0. endpoint.crt - GnuTLS:
OpenSSL: X509_V_ERR_IP_ADDRESS_MISMATCH (source)
IP address mismatch.Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -CAfile ca.crt endpoint.crt - GnuTLS:
certtool --verify --load-ca-certificate ca.crt --infile endpoint.crt
OpenSSL: X509_V_ERR_PERMITTED_VIOLATION (source)
Permitted subtree violation.GnuTLS: GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE (source)
The certificate’s signer constraints were violated.Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -CAfile ca.crt endpoint.crt - GnuTLS:
certtool --verify --load-ca-certificate ca.crt --infile endpoint.crt
OpenSSL: X509_V_ERR_EXCLUDED_VIOLATION (source)
Excluded subtree violation.GnuTLS: GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE (source)
The certificate’s signer constraints were violated.OpenSSL: X509_V_ERR_SUBTREE_MINMAX (source)
Name constraints minimum and maximum not supported.OpenSSL: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE (source)
Unsupported name constraint type.OpenSSL: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX (source)
Unsupported or invalid name constraint syntax.OpenSSL: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX (source)
Unsupported or invalid name syntax.OpenSSL: X509_V_ERR_UNNESTED_RESOURCE (source)
RFC 3779 resource not subset of parent's resources.Usage and policy errors
Errors related to standard extensions CertificatePolicies, KeyUsage and ExtendedKeyUsage.
Relevant links: KeyUsage extension (RFC5280), ExtendedKeyUsage extension (RFC5280), CertificatePolicies extension (RFC5280)
Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -CAfile ca.crt -purpose sslserver endpoint.crt - GnuTLS:
certtool --verify --load-ca-certificate ca.crt --infile endpoint.crt --verify-purpose 1.3.6.1.5.5.7.3.1
OpenSSL: X509_V_ERR_INVALID_PURPOSE (source)
The supplied certificate cannot be used for the specified purpose.GnuTLS: GNUTLS_CERT_PURPOSE_MISMATCH (source)
The certificate or an intermediate does not match the intended purpose (extended key usage).Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -purpose sslserver -CAfile sca.crt endpoint.crt - GnuTLS:
OpenSSL: X509_V_ERR_CERT_REJECTED (source)
The root CA is marked to reject the specified purpose.OpenSSL: X509_V_ERR_INVALID_POLICY_EXTENSION (source)
Invalid or inconsistent certificate policy extension.OpenSSL: X509_V_ERR_NO_EXPLICIT_POLICY (source)
No explicit policy.Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -CAfile ca.crt -crl_check -CRLfile ca.crl endpoint.crt - GnuTLS:
certtool --verify-crl --load-ca-certificate ca.crt < ca.crl
OpenSSL: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN (source)
Key usage does not include CRL signing.OpenSSL: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE (source)
Key usage does not include digital signature.OpenSSL: X509_V_ERR_KEYUSAGE_NO_CERTSIGN (source)
Not used as of OpenSSL 1.1.0 as a result of the deprecation of the -issuer_checks option.Algorithm related errors
Various errors signalizing usage of invalid or deprecated algorithms.
Relevant links: Algorithm and Key Size Profile for PKI (RFC 7935), Suite B Profile for TLS (RFC 6460)
Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -CAfile ca.crt -auth_level 1 endpoint.crt - GnuTLS:
OpenSSL: X509_V_ERR_EE_KEY_TOO_SMALL (source)
EE certificate key too weak.Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -CAfile ca.crt -auth_level 1 endpoint.crt - GnuTLS:
OpenSSL: X509_V_ERR_CA_KEY_TOO_SMALL (source)
CA certificate key too weak.Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -CAfile ca.crt -auth_level 3 endpoint.crt - GnuTLS:
OpenSSL: X509_V_ERR_CA_MD_TOO_WEAK (source)
CA signature digest algorithm too weak.Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -CAfile ca.crt -suiteB_128_only endpoint.crt - GnuTLS:
OpenSSL: X509_V_ERR_SUITE_B_INVALID_VERSION (source)
Suite B: certificate version invalid.Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -CAfile ca.crt -suiteB_192 endpoint.crt - GnuTLS:
OpenSSL: X509_V_ERR_SUITE_B_INVALID_ALGORITHM (source)
Suite B: invalid public key algorithm.Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -CAfile ca.crt -suiteB_128_only endpoint.crt - GnuTLS:
OpenSSL: X509_V_ERR_SUITE_B_INVALID_CURVE (source)
Suite B: invalid ECC curve.OpenSSL: X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM (source)
Suite B: invalid signature algorithm.Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -CAfile ca.crt -suiteB_192 endpoint.crt - GnuTLS:
OpenSSL: X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED (source)
Suite B: curve not allowed for this LOS.OpenSSL: X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 (source)
Suite B: cannot sign P-384 with P-256.Formatting errors
These errors occur when a field of the certificate/CRL contains invalid values or is badly formatted.
Relevant links: Certificate Signature (RFC 5280), Certificate Time formatting (RFC 5280), Certificate Signature Algorithm (RFC 5280)
Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -CAfile ca.crt endpoint.crt - GnuTLS:
certtool --verify --load-ca-certificate ca.crt --infile endpoint.crt
OpenSSL: X509_V_ERR_CERT_SIGNATURE_FAILURE (source)
The signature of the certificate is invalid.GnuTLS: GNUTLS_CERT_SIGNATURE_FAILURE (source)
The signature verification failed.Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -CAfile ca.crt -CRLfile ca.crl -crl_check endpoint.crt - GnuTLS:
certtool --load-ca-certificate ca.crt --verify-crl --infile ca.crl
OpenSSL: X509_V_ERR_CRL_SIGNATURE_FAILURE (source)
The signature of the certificate is invalid.GnuTLS: GNUTLS_CERT_SIGNATURE_FAILURE (source)
The signature verification failed.OpenSSL: X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD (source)
The certificate notBefore field contains an invalid time.OpenSSL: X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD (source)
The certificate notAfter field contains an invalid time.OpenSSL: X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD (source)
The CRL lastUpdate field contains an invalid time.OpenSSL: X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD (source)
The CRL nextUpdate field contains an invalid time.OpenSSL: X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE (source)
The certificate signature could not be decrypted. This means that the actual signature value could not be determined rather than it not matching the expected value, this is only meaningful for RSA keys.OpenSSL: X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE (source)
The CRL signature could not be decrypted: this means that the actual signature value could not be determined rather than it not matching the expected value. Unused.OpenSSL: X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY (source)
The public key in the certificate SubjectPublicKeyInfo could not be read.OpenSSL: X509_V_ERR_NO_ISSUER_PUBLIC_KEY (source)
Issuer certificate doesn't have a public key.OpenSSL: X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH (source)
Subject signature algorithm and issuer public key algorithm mismatchUncategorized errors
These errors are not yet categorized, deprecated or not used at all.
Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -CAfile ca.crt endpoint.crt - GnuTLS:
OpenSSL: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED (source)
Proxy certificates not allowed, please use -allow_proxy_certs.Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -allow_proxy_certs -CAfile ca.crt endpoint.crt - GnuTLS:
OpenSSL: X509_V_ERR_INVALID_NON_CA (source)
Invalid non-CA certificate has CA markings.OpenSSL: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED (source)
Proxy path length constraint exceeded.OpenSSL: X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION (source)
Proxy certificate name violation.OpenSSL: X509_V_ERR_INVALID_CALL (source)
Invalid certificate verification context.OpenSSL: X509_V_ERR_STORE_LOOKUP (source)
Issuer certificate lookup error.OpenSSL: X509_V_ERR_OUT_OF_MEM (source)
An error occurred trying to allocate memory. This should never happen.OpenSSL: X509_V_ERR_APPLICATION_VERIFICATION (source)
Application verification failure. Unused.OpenSSL: X509_V_ERR_DANE_NO_MATCH (source)
DANE TLSA authentication is enabled, but no TLSA records matched the certificate chain. This error is only possible in s_client(1).OpenSSL: X509_V_ERR_NO_VALID_SCTS (source)
Certificate Transparency required, but no valid SCTs found.OpenSSL: X509_V_ERR_OCSP_VERIFY_NEEDED (source)
Returned by the verify callback to indicate an OCSP verification is needed.OpenSSL: X509_V_ERR_UNSPECIFIED (source)
Unspecified error; should not happen.OpenSSL: X509_V_ERR_PROXY_SUBJECT_INVALID (source)
Proxy certificate subject is invalid. It MUST be the same as the issuer with a single CN component added.Example certificate
Download the certificate archive. If you are interested in generating such certificate yourself, see the generating script for this case on the project GitHub. To get the validation error, run the command as indicated below.- OpenSSL:
openssl verify -CAfile ca.crt endpoint.crt - GnuTLS:
certtool --verify --load-ca-certificate ca.crt --infile endpoint.crt
OpenSSL: X509_V_OK (source)
The operation was successful.About the project
The project is developed at the Centre for Research on Cryptography and Security (CRoCS) at Masaryk University, Brno, Czech Republic by Martin Ukrop and Pavol Žáčik. The source files are freely available in the project repository on GitHub.
The authors are grateful for the financial support by and Red Hat Czech and Kiwi.com.