Error: Peer certificate is issued by a company not in our CA list

When a client needs to connect to a server with https, the client needs to trust the server it is talking to. So the client needs to included the server CAs (certificate authorities list) to its trusted CAs.

This error means the client CA list is missing a certificate authority in its CA list.

To display the client CA list, use the following command:
openssl x509 -in ClientCAList.pem -noout -text

Solution:

  1. Add the missing CA list to the client CA list.
    openssl x509 -in MyCompanyCA.crt -text >> ClientCAList.pem

Theory:

Usually certificates work in pairs: a public key and a private key.


Diagram showing certificates working in pairs

Figure 1. Certificates working in pairs: a public key and a private key

This means that the client has a certificate that can be signed by an authority signed itself by a root authority. Likewise, the server has a certificate that can be signed by an authority signed itself by a root authority. In some instances, a certificate can be signed by itself.

Things to remember: