On 10/03/01 02:17 PM, Neulinger, Nathan sat at the `puter and typed: > I went had generated a csr from ca.key, sent it to UM System, had them sign > it, brough it back, put it in certificate-chain-file on a httpd server, and > also used ca.key and the new cert to sign a csr for that web server. (I > figured generating new certificates for the servers isn't that big a deal in > our case.) > > After I installed the UM-System root CA in my IE client, it works happy as > can be, automatically does the certificate chain and validates successfully > back to the root. > > However, on Netscape and openssl s_client, it does not work. It says > something about Invalid CA. Here's the exact error: > > infinity(58)>openssl s_client -CApath /umr/s/openssl/common/certs -connect > falcon.cc.umr.edu:443 > CONNECTED(00000003) > depth=1 [EMAIL PROTECTED]/C=US/ST=Missouri/L=Rolla/O=University of > Missouri - Rolla/OU=Computing and Information Services/CN=UMR Certificate > Authority > verify error:num=24:invalid CA certificate > verify return:0 > --- > Certificate chain > 0 s:/C=US/ST=Missouri/L=Rolla/O=University of Missouri - Rolla/OU=Computing > and Information [EMAIL PROTECTED] > i:[EMAIL PROTECTED]/C=US/ST=Missouri/L=Rolla/O=University of Missouri > - Rolla/OU=Computing and Information Services/CN=UMR Certificate Authority > 1 s:[EMAIL PROTECTED]/C=US/ST=Missouri/L=Rolla/O=University of Missouri > - Rolla/OU=Computing and Information Services/CN=UMR Certificate Authority > i:[EMAIL PROTECTED]/C=US/ST=Missouri/L=Columbia/O=University of > Missouri/OU=Information Technology/CN=University of Missouri Root Authority > --- > > If I try to do 'openssl x509 -in um-root.pem -text', or on the new > umr-cert.pem, it segfaults right as it's about to print out CRL locations. > (I'm running 0.9.6a in case it matters.) > > Now, on netscape/mozilla, if I go ahead and install the new UMR CA-Cert > (what's in the chain) it works just fine, but the automatic validation along > the chain is not working. > > Any ideas? > > -- Nathan
Hmm. Not that familiar with crl locations at this point. Next on my list. Anyone else? One thing you might want to do is check the openssl.cnf that was used to generate the UM System cert. From the error you give, I suspect it has the pathlen:0 on the basicConstraints line. In that case, the UMS cert cannot be used to sign other CAs. It will have to be regenerated from an openssl.cnf with the pathlen removed or raised to the maximum chain length they wish to permit. HTH Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://acadia.ne.mediaone.net ԿԬ Radioactive cats have 18 half-lives. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
