(1) Run the server: ------------------------ $ gnutls-serv --priority=NORMAL -p 9000 --x509cafile=/home/kashyapc/security/qemutls/ca-cert.pem --x509certfile=/home/kashyapc/security/qemutls/server-cert.pem --x509keyfile=/home/kashyapc/security/qemutls/server-key.pem Set static Diffie-Hellman parameters, consider --dhparams. Processed 1 CA certificate(s). HTTP Server listening on IPv4 0.0.0.0 port 9000...done HTTP Server listening on IPv6 :: port 9000...done ------------------------ (2) Run the client: ------------------------ $ gnutls-cli --priority=NORMAL -p 9000 --x509cafile=/home/kashyapc/security/qemutls/server-cert.pem 127.0.0.1 Processed 1 CA certificate(s). Resolving '127.0.0.1'... Connecting to '127.0.0.1:9000'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `CN=test-server', issuer `CN=Foo,OU=TestOrg,O=Test,C=EU', RSA key 2048 bits, signed using RSA-SHA256, activated `2015-05-04 11:11:57 UTC', expires `2025-05-01 11:11:59 UTC', SHA-1 fingerprint `6977f5bf21c509857cee73f043d6764b5c9e5125' Public Key ID: 466fca446a6535ddaf833d163382977056a14a6a Public key's random art: +--[ RSA 2048]----+ | o. oo. | | ...+.. | | = .=.. . | | * +..+ + .| | o E +. + = | | . = o . * | | o . o | | | | | +-----------------+ - Status: The certificate is NOT trusted. The name in the certificate does not match the expected. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. *** Handshake has failed GnuTLS error: Error in the certificate. ------------------------ (3) On the server: ------------------------ $ gnutls-serv --priority=NORMAL -p 9000 --x509cafile=/home/kashyapc/security/qemutls/ca-cert.pem --x509certfile=/home/kashyapc/security/qemutls/server-cert.pem --x509keyfile=/home/kashyapc/security/qemutls/server-key.pem Set static Diffie-Hellman parameters, consider --dhparams. Processed 1 CA certificate(s). HTTP Server listening on IPv4 0.0.0.0 port 9000...done HTTP Server listening on IPv6 :: port 9000...done * Accepted connection from IPv4 127.0.0.1 port 36635 on Mon May 4 13:57:20 2015 * Received alert '42': Certificate is bad. Error in handshake Error: A TLS fatal alert has been received. ------------------------ (4) Additional info: ------------------------ $ certtool --certificate-info --infile ca-cert.pem | egrep 'Issuer:|Subject:' Issuer: CN=Foo,OU=TestOrg,O=Test,C=EU Subject: CN=Foo,OU=TestOrg,O=Test,C=EU $ certtool --certificate-info --infile server-cert.pem | egrep 'Issuer:|Subject:' Issuer: CN=Foo,OU=TestOrg,O=Test,C=EU Subject: CN=test-server ------------------------