Certificate Installation with OpenSSL - Common Errors

Back to the guides index

Guides In This Section

Guides In Other Sections

>error 18 at 0 depth lookup:self signed certificate

=> OpenSSL can't verify the certificate in question

To explain and fix this error, you first need to understand how OpenSSL goes about verifying a certificate:

  1. Look at the key for which the certificate was issued
  2. Decide if we trust this key
  3. If not, look at the signer of this key
  4. Decide if we trust them
  5. If not, look at the next person up the signing tree
  6. Repeat until we either trust one of these entities, or we hit a self signed entry
So, to veryify a certificate, we need to trust someone in the key signing chain. At the very top of the chain will be a self signed certificate (it has to be, that's the chain termination). If OpenSSL gets to the end of this chain without trusting anyone, and doesn't the self signed bit either, then it can't verify the certificate. In this case, it'll give an error like:
oxford-ca.pem: /C=GB/ST=Oxfordshire/L=Oxford/O=Oxford University/OU=Computing Services/CN=Oxford University Computing Services CA/Email=ca@computing-services.oxford.ac.uk
error 18 at 0 depth lookup:self signed certificate
What this says is that at 0 depth (i.e. the top of the signer tree), it hit a self signed certificate, but this certificate wasn't trusted. Since OpenSSL can't verify any of the signers of the certificate, it can't verify the certificate. Since this is a fatal problem, it throws the above error.

Once you get someone on the signing chain trusted, you'll get something like:
oxford-herald2-server.pem: OK

The Cause

One of:
  1. A man in the middle attack, sending you an alternate certificate for the server, which was signed by a different CA
  2. The server certificate is self signed and not trusted
  3. The server certificate is signed by a CA you don't trust (eg an in-house one)

The Fix

  1. In this case, you have big problems. Still, it's a good thing that OpenSSL gave you an error about it, rather than blindly trusting it regardless, isn't it?
  2. Get the server certificate (if you haven't already), and install it as a trusted certificate
  3. Get the CA certificate, and install it as a trusted CA
Guides Index
Written By: Nick Burch    Last modified: Friday, 20-Jun-2003 23:30:21 BST
These pages are from http://www.gagravarr.org/writing/openssl-certs/
Creative Commons License This work is licensed under a Creative Commons License.