windows client rejects openssl's based cert/key pair

[AlexandrTolstikov]

I generated a keypair with:

openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 365000 \
   -key ca-key.pem \
   -out ca-cert.pem
openssl pkcs12 -export -out identity_ca.p12 -in ca-cert.pem -inkey ca-key.pem

And when i passed ca-cert.pem to my client i got an error: Failure(Os { code: -2146869244, kind: "The signature of the certificate cannot be verified" } (maybe text of error is not like i wrote because i got it on russian language but after debugging i found that code is winapi code pPolicyStatus CERT_CHAIN_POLICY_BASE) Code of client is liike:

let contents = fs::read("pki/server-cert.pem").unwrap();
let certificate = Certificate::from_pem(contents.as_slice()).unwrap();
builder.add_root_certificate(certificate);
builder.disable_built_in_roots(true);
let connector = builder.build().unwrap();
let stream = TcpStream::connect("ip_of_server:port").unwrap();
let mut stream = connector.connect("my-server.blabla", stream).unwrap();
stream.write_all(b"Hello there").unwrap();
let mut res = vec![];
stream.read_to_end(&mut res).unwrap();
println!("{}", String::from_utf8_lossy(&res));

and this code failed on "unwrap" of connector.connect("my-server.blabla", stream)

Linux client made handshake successfully.

In wireshark i see that client try to [FIN, ACK] after receive "Client Key Exchange" instead of send data to server.

What am i doing wrong?

p.s. when i generate keys in win10 linux-server panicked after parsing p12 with error: "140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak:../ssl/ssl_rsa.c:310". Maybe that's because win10 use weak signature algo like md5 and can't apply any stronger algo's?

[sfackler]

One thing that jumps out is that you aren't configuring the certificate with a CN or SAN.

[AlexandrTolstikov]

Ok. I solved the problem with generating cert by certbot. Now its works