OpenSSL - error 18 at 0 depth lookup:self signed certificate

Question

I was trying to create a SSL certificate to use with MySQL as like mentioned here: http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html

While verifying the certificates I got the following error

  # openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
    server-cert.pem: C = IN, ST = KERALA, L = COCHIN, O = ABCD, OU = OPERATIONAL, CN = SATHISH, emailAddress = sathish@abcd.com
    error 18 at 0 depth lookup:self signed certificate
    OK
    client-cert.pem: C = IN, ST = KERALA, L = COCHIN, O = ABCD, OU = OPERATIONAL, CN = sathish, emailAddress = sathish@abcd.com
    error 18 at 0 depth lookup:self signed certificate
    OK

Could someone help me on generating keys without any errors based on the document in the above link.

Answer 1

I think you missed this part of the instructions:

Whatever method you use to generate the certificate and key files, the Common Name value used for the server and client certificates/keys must each differ from the Common Name value used for the CA certificate. Otherwise, the certificate and key files will not work for servers compiled using OpenSSL.

When OpenSSL prompts you for the Common Name for each certificate, use different names.

Answer 2

When you use openssl command that creates the certificates and keys, it will ask you to fill some fields, and you will come across Common Name option like following:

Common Name (e.g. server FQDN or YOUR name) []: 

In this case you need to provide a different name each time and not to let it use the default value.

For example:

CA Cert: app-ca-cert.

Server Cert: app-server-cert.

Client Cert: app-client-cert.

As the guide explained

Important

Whatever method you use to generate the certificate and key files, the Common Name value used for the server and client certificates/keys must each differ from the Common Name value used for the CA certificate. Otherwise, the certificate and key files do not work for servers compiled using OpenSSL.