"Neulinger, Nathan" wrote: > > I went had generated a csr from ca.key, sent it to UM System, had them sign > it, brough it back, put it in certificate-chain-file on a httpd server, and > also used ca.key and the new cert to sign a csr for that web server. (I > figured generating new certificates for the servers isn't that big a deal in > our case.) > > After I installed the UM-System root CA in my IE client, it works happy as > can be, automatically does the certificate chain and validates successfully > back to the root. > > However, on Netscape and openssl s_client, it does not work. It says > something about Invalid CA. Here's the exact error: > > infinity(58)>openssl s_client -CApath /umr/s/openssl/common/certs -connect > falcon.cc.umr.edu:443 > CONNECTED(00000003) > depth=1 [EMAIL PROTECTED]/C=US/ST=Missouri/L=Rolla/O=University of > Missouri - Rolla/OU=Computing and Information Services/CN=UMR Certificate > Authority > verify error:num=24:invalid CA certificate > verify return:0 > --- > Certificate chain > 0 s:/C=US/ST=Missouri/L=Rolla/O=University of Missouri - Rolla/OU=Computing > and Information [EMAIL PROTECTED] > i:[EMAIL PROTECTED]/C=US/ST=Missouri/L=Rolla/O=University of Missouri > - Rolla/OU=Computing and Information Services/CN=UMR Certificate Authority > 1 s:[EMAIL PROTECTED]/C=US/ST=Missouri/L=Rolla/O=University of Missouri > - Rolla/OU=Computing and Information Services/CN=UMR Certificate Authority > i:[EMAIL PROTECTED]/C=US/ST=Missouri/L=Columbia/O=University of > Missouri/OU=Information Technology/CN=University of Missouri Root Authority > --- > > If I try to do 'openssl x509 -in um-root.pem -text', or on the new > umr-cert.pem, it segfaults right as it's about to print out CRL locations. > (I'm running 0.9.6a in case it matters.) > > Now, on netscape/mozilla, if I go ahead and install the new UMR CA-Cert > (what's in the chain) it works just fine, but the automatic validation along > the chain is not working. >
It has probably not be signed as a CA certificate, just as a user certificate. OpenSSL rejects such certificates for security reasons. The x509 utility shouldn't crash though, see if this happens in OpenSSL 0.9.6b. If it still does can you send me these two certificates and I'll analyse the cause. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
