Look at the CA cert in question. Specifically, the line
Signature Algorithm. Awhile back, I updated Openssl and it broke my CA as sha1 was no longer allowed. None of the certs would work with things linked against the new SSL. Check the CA cert with
Code:
openssl x509 -in ca-crt.pem -noout -text
...
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Netscape Cert Type:
SSL CA, S/MIME CA
Signature Algorithm: sha256WithRSAEncryption
sha256 is fine. For now. If that's not it then I'm not sure.