-1

I have three certificates, rootca.pem, intermediate.pem and VPN_Client_Test_Certificate.pem. OpenSSL verification fails with error 53. Not sure what syntax error is happening. Kindly help. Certs are below for reference.

rootca.pem

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        16:22:9f:5a:e1:95:43:9d:96:62:9a:f4:cf:55:a7:73
Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=US, ST=Colorado, L=Lakewood, O=Cator, Ruma & Associates, OU=IT Department, CN=CRA External CA Root/[email protected]
    Validity
        Not Before: Jun  4 00:00:00 2025 GMT
        Not After : Jun  5 00:00:00 2045 GMT
    Subject: C=US, ST=Colorado, L=Lakewood, O=Cator, Ruma & Associates, OU=IT Department, CN=CRA External CA Root/[email protected]
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            RSA Public-Key: (4096 bit)
            
            Exponent: 65537 (0x10001)
    X509v3 extensions:
        X509v3 Authority Key Identifier: 
            keyid:18:A5:85:F6:CF:4B:13:AA:E2:FC:E3:ED:C1:9A:54:45:0E:95:32:F2

        X509v3 Subject Key Identifier: 
            18:A5:85:F6:CF:4B:13:AA:E2:FC:E3:ED:C1:9A:54:45:0E:95:32:F2
        X509v3 Basic Constraints: critical
            CA:TRUE
        X509v3 Key Usage: critical
            Digital Signature, Certificate Sign, CRL Sign

intermediate.pem

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            6a:66:10:e9:62:99:4a:af:b9:c7:d4:f9:db:aa:ab:69
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Colorado, L=Lakewood, O=Cator, Ruma & Associates, OU=IT Department, CN=CRA External CA Root/[email protected]
        Validity
            Not Before: Jun  4 00:00:00 2025 GMT
            Not After : Jun  5 00:00:00 2035 GMT
        Subject: C=US, ST=Colorado, L=Lakewood, O=Cator, Ruma & Associates, OU=IT Department, CN=cra-ca.boi.cra2k.com/[email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:18:A5:85:F6:CF:4B:13:AA:E2:FC:E3:ED:C1:9A:54:45:0E:95:32:F2

            X509v3 Subject Key Identifier: 
                96:E2:E0:9C:5E:AF:6F:BC:27:DE:0C:42:67:36:B6:D4:9F:65:F2:8A
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:https://cra-ca.boi.cra2k.com/ca/revoke.crl

            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign

VPN_Client_Test_Certificate.pem

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            c1:3d:37:98:f6:25:47:b9:97:c7:b6:98:1b:89:e7:31
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Colorado, L=Lakewood, O=Cator, Ruma & Associates, OU=IT Department, CN=cra-ca.boi.cra2k.com/[email protected]
        Validity
            Not Before: Jun 16 00:00:00 2025 GMT
            Not After : Jun 17 00:00:00 2026 GMT
        Subject: C=US, ST=Colorado, L=Lakewood, O=Cator, Ruma & Associates, OU=IT Department, CN=vpntest-client/[email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:96:E2:E0:9C:5E:AF:6F:BC:27:DE:0C:42:67:36:B6:D4:9F:65:F2:8A
                DirName:/C=US/ST=Colorado/L=Lakewood/O=Cator, Ruma & Associates/OU=IT Department/CN=CRA External CA Root/[email protected]
                serial:6A:66:10:E9:62:99:4A:AF:B9:C7:D4:F9:DB:AA:AB:69

            X509v3 Subject Key Identifier: 
                E7:04:C8:85:0A:BF:5A:F3:73:59:0B:B5:2C:6E:FA:A5:87:C6:A6:49
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:https://cra-ca.boi.cra2k.com/ca/revoke.crl

            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, E-mail Protection
            X509v3 Subject Alternative Name: 
                email:localhost, email:127.0.0.1

Verification failed

C = US, ST = Colorado, L = Lakewood, O = "Cator, Ruma & Associates", OU = IT Department, CN = vpntest-client, emailAddress = [email protected]
error 53 at 0 depth lookup:unsupported or invalid name syntax
VPN_Client_Test_Certificate.pem: verification failed: 53 (unsupported or invalid name syntax)

Removed the public key and signature algorithm for simplicity.

Improve this question
2
  • 4
    "X509v3 Subject Alternative Name:: email:localhost, email:127.0.0.1" - this does not make sense. These are obviously not email addresses. Commented Jun 23 at 19:38
  • I guess this is the issue. Thanks @SteffenUllrich for pointing it out. Commented Jun 24 at 9:03

1 Answer 1

Reset to default
-1

OpenSSL verification error 53: unsupported or invalid name syntax typically points to a problem with one or more X.509 distinguished names.

The problem is you are including emailAddress inside the Common Name — which violates the X.509 standard.

You will need to regenerate the client certificate with a corrected subject.

openssl req -new -key client.key \
  -subj "/C=US/ST=Colorado/L=Lakewood/O=Cator, Ruma & Associates/OU=IT Department/CN=vpntest-client" \
  -addext "subjectAltName=email:[email protected]"
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

But that's how it is in the intermediate certificate also right? Intermediate certificate is getting verified successfully with the rootca certificate. But this error is observed only for the leaf certificate.
OpenSSL is stricter with end-entity certs than CAs. CA certs mainly sign other certs, so parsing is looser. Leaf certs must follow RFC 5280 name rules strictly. The CN field must contain only a simple string (UTF8 or Printable). No slashes, no embedded attributes. This is invalid: CN=vpntest-client/emailAddress=... It mimics a second field, which breaks ASN.1 rules.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.