Hello everybody Before I go into the details of my problem (which might very well being me doing somehthing wrong) I would like to thank you for all the work you
do for openssll. Abstract -------- We wrote a web server. We use openssl 0.9.6g for SSL protocol. One of our customers has recently deployed a new server certificate from VeriSign. Unfortunately, this certificate was issued by a Root CA which older versions of Netscape (4.7 below) don't have preinstalled. This forces the browser to complain about a server-certificate presented which is untrusted. The solution is using the intermediate certificate the server-certificate-issuer is providing. >From the openssl-doc we saw that we have to use SSL_CTX_use_certificate_chain(), as depicted on a SuSE Linux discussion forum: >>To complete your setup you must change auth_ssl.c: change from >>SSL_CTX_use_certificate_file() to SSL_CTX_use_certificate_chain_file() >>(note the additional "chain"). Then append all (intermediate and root) CA >>files to the server's certificate file, so that one after the other will >>together form the complete chain. See http://archives.neohapsis.com/archives/linux/suse/2001-q1/0181.html But before we can do that we would in a test first approach set up 2 root CA's and link them with a cross certificate Scenario -------- RootCA1 RootCA2 + + + + +++++Cross-Certificate+++++TestCA2-1 The client browser has only RootCA1's certificate installed. Thus a test would be successful, if a certificate chain built from cat >> TestCA2-1.crt >> RootCA2.crt >> Crosscertificate >> RootCA1 (not needed actually) would verify with only RootCA1.crt as trusted cert present. I had set up the described scenario, and I was able to verify the following: RootCA1 and CrossCertificate with RootCA1.crt as trusted crt RootCA2 and TestCA2-1 with RootCA2.crt as trusted crt but I can't verify TestCA2-1.crt RootCA2.crt Crosscertificate RootCA1. :-) Thus giving #!/bin/ksh /usr/local/ssl/bin/openssl verify -verbose -purpose sslserver -CApath /usr/local/openssl-0.9.6g/openssl-0.9.6g/myca/RootCA1/work/certdir ./chain.crt fails with: ./chain.crt: /C=CH/ST=ZH/O=TestCA2-1/OU=Hank CA [EMAIL PROTECTED] error 20 at 0 depth lookup:unable to get local issuer certificate merlin:/usr/local/openssl-0.9.6g/openssl-0.9.6g/myca/RootCA1/work # Any help would be greatly appreciated. Maybe someone remember how this got tested in openssl. Regards Markus Pfister Details which might help to locate whaht I did wrong ---------------------------------------------------- Crosscertificate was created with: openssl ca -preserveDN -ss_cert RootCA2cert.pem -config /usr/ssl/openssl.cnf -out Crosscert.pem (this was from a post in the newsgroup) alternately, I tried: openssl ca \ -config /usr/ssl/openssl.cnf \ -policy policy_anything \ -preserveDN \ -extensions v3_ca \ -ss_cert ./RootCA2cert.pem \ -out Crosscert.pem The relevant secion in openssl.cnf looks like: #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = ./demoCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crl_extensions = crl_ext default_days = 1095 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # which md to use. preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### .... snipp... [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always # This is what PKIX recommends but some broken software chokes on critical # extensions. #basicConstraints = critical,CA:true # So we do this instead. basicConstraints = CA:TRUE # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. # keyUsage = cRLSign, keyCertSign # Some might want this also # nsCertType = sslCA, emailCA # Include email address in subject alt name: another PKIX recommendation # subjectAltName=email:copy # Copy issuer details # issuerAltName=issuer:copy # DER hex encoding of an extension: beware experts only! # obj=DER:02:03 # Where 'obj' is a standard or added object # You can even override a supported extension: # basicConstraints= critical, DER:30:03:01:01:FF The certificates I have in the certificate chain to verify look like: ---TestCA2-1cert--------------------------------------- Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: md5WithRSAEncryption Issuer: C=CH, ST=ZH, O=RootCA2, OU=Hank CA department, [EMAIL PROTECTED] Validity Not Before: Nov 2 13:51:25 2002 GMT Not After : Nov 1 13:51:25 2005 GMT Subject: C=CH, ST=ZH, O=TestCA2-1, OU=Hank CA department, [EMAIL PROTECTED] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:a5:a4:33:d6:13:b3:65:28:bc:0f:8b:5c:61:0a: e4:0f:9e:27:38:e7:59:57:b7:3b:3f:a2:c2:1e:06: b5:10:40:65:b2:38:81:b3:94:4a:3a:f2:bc:b7:ff: 98:ac:d1:25:91:85:de:77:09:c9:a9:87:47:4c:d8: b5:0d:e2:a3:11:8d:30:9e:19:bf:a7:e4:7a:4f:f8: f0:8c:c7:83:75:20:c1:25:63:e9:67:02:41:46:0b: 5f:1e:1b:14:f5:17:e4:8d:f8:64:be:40:da:24:fc: ea:4e:36:70:15:5b:50:18:5f:fe:79:f7:7a:08:ea: 5c:ef:6c:78:ca:6c:35:ab:11 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: A1:C8:F3:26:79:BE:4B:84:06:9C:44:BF:E0:B0:0E:0A:64:F1:DF:08 X509v3 Authority Key Identifier: keyid:AC:17:B0:F2:1C:F0:C2:3E:60:93:AB:63:A7:BE:AB:3B:BE:9F:A5:7E DirName:/C=CH/ST=ZH/O=RootCA2/OU=Hank CA [EMAIL PROTECTED] serial:00 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: md5WithRSAEncryption c5:73:ae:16:58:96:56:28:5c:ad:71:66:d4:ea:20:5e:c1:3e: 34:9c:28:f0:5b:e2:65:e8:5e:43:37:fb:d7:48:db:a4:29:63: 2e:56:01:c1:ab:62:2d:56:3c:ec:fa:7a:6a:39:62:2f:6f:bb: 3c:f3:f0:4d:4c:d5:55:d5:2d:d6:8c:df:00:68:7a:18:ad:bd: df:48:03:d5:c7:0f:82:03:42:ed:6a:79:f4:45:f8:15:94:19: 4b:70:88:50:10:0a:00:ae:b3:ae:fd:fe:ce:52:fe:14:c7:70: 61:66:b0:6f:15:39:07:fb:28:0e:f2:4b:14:96:29:ec:fa:66: fc:1e ---RootCA21cert- ------------------------------------- Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: C=CH, ST=ZH, O=RootCA2, OU=Hank CA department, [EMAIL PROTECTED] Validity Not Before: Nov 2 12:45:46 2002 GMT Not After : Nov 2 12:45:46 2003 GMT Subject: C=CH, ST=ZH, O=RootCA2, OU=Hank CA department, [EMAIL PROTECTED] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d1:a4:af:2d:8e:2c:73:0c:a1:89:0f:db:ae:21: 0b:3c:07:86:ee:a9:dc:6e:47:cc:ec:84:ff:a6:7d: 28:a9:9d:cc:53:6d:d1:2a:cd:9e:40:f0:cc:16:3c: 7a:18:8b:37:1c:0b:76:eb:c1:69:eb:67:c4:dd:18: 16:fd:b7:65:b3:ad:e8:f0:1d:23:c5:35:eb:63:66: 4f:04:ec:a2:b9:d6:25:1d:80:91:76:e6:28:f6:72: 0b:79:9c:3d:29:83:13:6e:68:11:5e:dd:bd:01:15: 45:88:1e:a7:e5:07:fb:21:39:32:38:39:93:7c:cc: e1:e0:bd:83:b5:a6:9a:ce:6f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: AC:17:B0:F2:1C:F0:C2:3E:60:93:AB:63:A7:BE:AB:3B:BE:9F:A5:7E X509v3 Authority Key Identifier: keyid:AC:17:B0:F2:1C:F0:C2:3E:60:93:AB:63:A7:BE:AB:3B:BE:9F:A5:7E DirName:/C=CH/ST=ZH/O=RootCA2/OU=Hank CA [EMAIL PROTECTED] serial:00 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: md5WithRSAEncryption 98:a6:0f:0d:f7:69:41:0e:af:44:d4:e2:d2:fe:9e:6e:c0:84: f5:3f:c9:f0:5a:85:09:55:36:8c:a2:d3:ba:b2:0e:71:30:bb: e0:aa:c7:8e:c5:75:f6:01:0c:17:ec:eb:01:a7:a1:e1:86:7f: 8e:04:1e:32:9c:02:fa:f1:ad:06:2c:4d:e4:1e:2a:9a:7e:52: ec:bb:7f:a0:a5:4d:cd:88:44:42:ae:90:4a:a2:f2:42:7e:c9: c0:1f:3e:35:66:d9:06:4c:d3:b8:ea:ad:ff:3c:be:dd:9f:50: 72:b5:f7:92:c8:61:08:93:1c:0f:5d:67:14:90:d3:4d:00:08: dc:a7 ---Crosscert- -------------------------------------- Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=CH, ST=ZH, O=RootCA1, OU=Hank CA department, [EMAIL PROTECTED] Validity Not Before: Nov 2 12:46:17 2002 GMT Not After : Nov 1 12:46:17 2005 GMT Subject: C=CH, ST=ZH, O=RootCA2, OU=Hank CA department, [EMAIL PROTECTED] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d1:a4:af:2d:8e:2c:73:0c:a1:89:0f:db:ae:21: 0b:3c:07:86:ee:a9:dc:6e:47:cc:ec:84:ff:a6:7d: 28:a9:9d:cc:53:6d:d1:2a:cd:9e:40:f0:cc:16:3c: 7a:18:8b:37:1c:0b:76:eb:c1:69:eb:67:c4:dd:18: 16:fd:b7:65:b3:ad:e8:f0:1d:23:c5:35:eb:63:66: 4f:04:ec:a2:b9:d6:25:1d:80:91:76:e6:28:f6:72: 0b:79:9c:3d:29:83:13:6e:68:11:5e:dd:bd:01:15: 45:88:1e:a7:e5:07:fb:21:39:32:38:39:93:7c:cc: e1:e0:bd:83:b5:a6:9a:ce:6f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: AC:17:B0:F2:1C:F0:C2:3E:60:93:AB:63:A7:BE:AB:3B:BE:9F:A5:7E X509v3 Authority Key Identifier: keyid:9E:CB:05:F2:E0:4F:81:83:9A:75:D0:61:D5:B4:28:97:48:9A:7B:AE DirName:/C=CH/ST=ZH/O=RootCA1/OU=Hank CA [EMAIL PROTECTED] serial:00 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: md5WithRSAEncryption a4:b3:45:ff:17:4b:f8:40:9e:74:58:ef:bf:2c:d8:1f:e2:ea: 38:c0:33:1e:d4:b0:51:84:ff:6f:27:d7:71:cb:cb:d0:2e:85: cd:68:f4:3a:65:e7:e2:f7:67:af:33:92:09:28:43:34:a4:01: 38:80:27:5d:c3:4e:ec:19:d3:a2:6c:61:08:76:06:b5:e7:bf: 10:d2:dd:a2:4c:7f:00:86:81:2a:14:da:fd:d0:84:d7:df:6b: 55:61:38:8e:0a:61:51:81:2b:2b:86:4a:d0:e9:48:60:c7:4e: a2:a1:e4:95:84:68:22:e5:b0:bc:8c:18:09:26:d6:84:94:f9: c5:e4 -- RootCA1cert----------------------------------------- Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: C=CH, ST=ZH, O=RootCA1, OU=Hank CA department, [EMAIL PROTECTED] Validity Not Before: Nov 2 12:39:54 2002 GMT Not After : Nov 2 12:39:54 2003 GMT Subject: C=CH, ST=ZH, O=RootCA1, OU=Hank CA department, [EMAIL PROTECTED] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:a5:f1:68:c7:ce:d3:b9:3d:41:18:36:c6:a4:54: 80:f8:22:0b:00:59:34:ab:b2:18:3a:2e:1b:0a:c4: ae:19:f8:64:12:27:04:76:da:38:3e:52:d1:3d:05: 52:de:5c:3b:d3:fb:b5:4a:64:17:16:f3:37:91:e7: ea:d1:d7:e8:ab:13:22:6b:06:96:12:71:c0:b4:e7: 4e:d2:ce:aa:e1:f3:42:9a:e7:5d:b4:9d:4d:f6:6a: fb:0f:bd:87:74:e3:6e:28:1b:72:e2:33:af:7a:46: 9d:69:61:3b:46:16:86:05:4d:83:fa:96:26:fa:e2: b3:49:f7:83:ff:1a:47:99:cf Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 9E:CB:05:F2:E0:4F:81:83:9A:75:D0:61:D5:B4:28:97:48:9A:7B:AE X509v3 Authority Key Identifier: keyid:9E:CB:05:F2:E0:4F:81:83:9A:75:D0:61:D5:B4:28:97:48:9A:7B:AE DirName:/C=CH/ST=ZH/O=RootCA1/OU=Hank CA [EMAIL PROTECTED] serial:00 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: md5WithRSAEncryption 55:33:22:7f:e6:ee:a6:e8:12:e2:cb:65:e0:67:b5:92:83:71: b0:1e:b5:d7:52:22:f5:76:90:24:69:48:47:ba:1e:3d:9d:b0: 5d:78:c9:72:9a:51:6c:13:26:bd:69:26:ed:0f:a2:e9:33:c1: 37:9c:83:40:7c:ea:5d:39:92:4a:32:f1:9d:65:0c:50:25:d8: 44:18:12:ad:20:3e:f2:a2:8c:a5:06:9c:d0:4d:27:81:97:76: 56:85:16:34:6d:1e:4b:71:b9:73:cf:ec:fc:12:eb:e8:52:20: 6a:df:95:bc:e2:62:fe:75:75:a0:16:d8:98:82:99:ec:ad:a0: 2e:9d Markus Pfister Visit http://www.kim-dojo.ch ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
