|
Having a problem generating the proper certificate set for my Verisign 128bit class 3 certificate. Here's the story... I am using a Reverse-proxy, load balancer called Pound, it's open source, and uses certificates/keys from OpenSSL. They seem to be generated before the proxy is started, more like an IMAP server, not like Apache. http://www.apsis.ch/pound I had this entire configuration working at one time, Pound, OpenSSL, Verisign... It all started after 1/7/2004 when Verisign had switched over their infrastructure to a new configuration. They provided a new intermediate certificate for use, of course generic OpenSSL instructions are not in the Verisign website. At the time I was using an older version of OpenSSL with RedHat AS 2.1. I was warned not to upgrade this version, RedHat had tweaked it for use. I was unable to install this intermediate certificate or upgrade the OpenSSL. I switched to SuSE 9.0, using the OpenSSL 0.9.7b installed with it. I created a self-signed certificate & key using the command, and pointed Pound at it... openssl req -x509 -newkey rs:1024 -keyout test.pem -out test.pem -days 365 -nodes Success, a self-signed key/certificate that I point at in the Pound config file. This basically proves that Pound is working and set up correctly, and processing OpenSSL-generated keys correctly. I've done it wrong enough times to know when its wrong. So then, I need to produce the same type of set using Verisign as my 3rd party. I used the command... umask 077 openssl req -new -out filenamecsr.pem -keyout privkey.pem I then submitted the CSR file to Versign, and received the certificate thereafter. I then combined it after decoding the key, with this command... openssl rsa -in privkey.pem >> keyandcert.pem Prompted me for a passphrase, entered it. This then created a file with this key to which I added the verisign certificate. Pointed Pound at it in the config file. Pound, sees the file, and reads the key and the certificate, properly formed evidently, Pound is working, and processing SSL requests. IE tells me my certificate is wrong, same certificate as before the 1/7/2004 problem, but allows me to continue, Verisign intermediate cert is expired 1/7/2004, same problem. Mozilla 1.4 tells me error -8101, which looked up, certificate of wrong type. Bad CSR? After emailing the development team for Pound, here's some important facts... Pound doesn't actively "run" OpenSSL, it uses the keys and certificates only (not Apache-like). On the configure step for installing Pound, you use a flag ./configure --with-ssl=/etc/ssl/ for OpenSSL's home directory. Also ran SuSE's /usr/bin/c_rehash script before configure and make, to update certificate "registry hash". For security audit reasons, Pound starts up, looks at a config file and cert/key file, and does a root jail. Questions: Is this a certificate chain problem, do I need to update the intermediate certificate, or is it included with a new OpenSSL like 0.9.7b.... How would I do that on SuSE 9.0? Is this a CSR generation problem? Did I form the CSR command correctly for a Verisign Class 3 128bit certificate? If not, what command should I use? Or Both? Unfortunately, this proxy is production, and I get to try to adjust it after business hours. There's no URL to look at, when I'm not testing. The self-signed version is working and in place for production. Thanks for listening, Jonathan Cyr Cyr Information Systems Verisign Acct: WWW.DOCUMENTALSOLUTIONS.COM Cranston, RI, USA [EMAIL PROTECTED] |
