Invalid CA certificate with self signed certificate chain

Question

I have a self signed certificate chain with these commands and configured them on an Apache server

But when i try openssl s_client -showcerts -servername server -connect my-host.local:443 -CAfile all.crt

I get an error from openssl Verify return code: 24 (invalid CA certificate)

Is there something wrong with the commands used to generate the certificates or with the configuration files?

commands used to create certificate chain

# self signed root cert
openssl genrsa -aes256 -out ca.key 4096
openssl req -new -x509 -days 3000 -key ca.key -out ca.crt -config ca.conf

# intermediate cert signed with the root cert
openssl genrsa -aes256 -out int.key 4096
openssl req -new -key int.key -out int.csr -config int.conf
openssl x509 -req -days 3000 -in int.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out int.crt

# leaf cert signed with the intermediate cert

openssl genrsa -aes256 -out leaf.key 4096
openssl req -new -key leaf.key -out leaf.csr -config leaf.conf
openssl x509 -req -days 3000 -in leaf.csr -CA int.crt -CAkey int.key -set_serial 01 -out leaf.crt

 cat ca.crt int.crt leaf.crt > all.crt

These are the config files I have used

ca.conf

[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
dirstring_type = nobmp
[ req_distinguished_name ]
commonName = Common Name (eg, YOUR name)
commonName_default = root
[ v3_ca ]
keyUsage=critical, keyCertSign
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=critical,CA:TRUE,pathlen:1
extendedKeyUsage=serverAuth

int.conf

[ req ]
distinguished_name = req_distinguished_name
x509_extensions = ext
[ req_distinguished_name ]
commonName = Common Name (eg, YOUR name)
commonName_default = int
[ ext ]
keyUsage=critical, keyCertSign
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:TRUE,pathlen:0
extendedKeyUsage=serverAuth

leaf.conf

[ req ]
distinguished_name = req_distinguished_name
dirstring_type = nobmp
[ req_distinguished_name ]
commonName = Common Name (eg, YOUR name)
commonName_default = leaf

Answer 1

A CA root certificate has to be marked as belonging to a CA:

A CA certificate must include the basicConstraints value with the CA field set to TRUE. An end user certificate must either set CA to FALSE or exclude the extension entirely. Some software may require the inclusion of basicConstraints with CA set to FALSE for end entity certificates.

This is done through the basic constraints standard extension. To check whether your root cert has the CA attribute set, run openssl x509 -text -noout -in ca.crt and look for CA:True in the output. Note that OpenSSL will actually let you sign other certs with a non-CA root cert (or at least used to) but verification of such certs will fail (because the CA check will fail).

With your config file, simply including -extensions v3_ca in the command to generate the root cert should suffice:

openssl req -new -x509 -extensions v3_ca -days 3000 -key ca.key -out ca.crt -config ca.conf -extfile ca.conf