On Fri, Apr 23, 2004, Jonathan Cyr wrote: > Hello OpenSSL folks, > > Having a problem generating the proper certificate set for my Verisign > 128bit class 3 certificate. > > Here's the story... > > I am using a Reverse-proxy, load balancer called Pound, it's open > source, and uses certificates/keys from OpenSSL. They seem to be > generated before the proxy is started, more like an IMAP server, not > like Apache. http://www.apsis.ch/pound > > I had this entire configuration working at one time, Pound, OpenSSL, > Verisign... > > It all started after 1/7/2004 when Verisign had switched over their > infrastructure to a new configuration. They provided a new intermediate > certificate for use, of course generic OpenSSL instructions are not in > the Verisign website. At the time I was using an older version of > OpenSSL with RedHat AS 2.1. I was warned not to upgrade this version, > RedHat had tweaked it for use. I was unable to install this > intermediate certificate or upgrade the OpenSSL. > > I switched to SuSE 9.0, using the OpenSSL 0.9.7b installed with it. I > created a self-signed certificate & key using the command, and pointed > Pound at it... > > openssl req -x509 -newkey rs:1024 -keyout test.pem -out test.pem > -days 365 -nodes > > Success, a self-signed key/certificate that I point at in the Pound > config file. This basically proves that Pound is working and set up > correctly, and processing OpenSSL-generated keys correctly. I've done > it wrong enough times to know when its wrong. > > So then, I need to produce the same type of set using Verisign as my 3rd > party. > > I used the command... > > umask 077 > openssl req -new -out filenamecsr.pem -keyout privkey.pem > > I then submitted the CSR file to Versign, and received the certificate > thereafter. > > I then combined it after decoding the key, with this command... > > openssl rsa -in privkey.pem >> keyandcert.pem > > Prompted me for a passphrase, entered it. This then created a file with > this key to which I added the verisign certificate. > > Pointed Pound at it in the config file. Pound, sees the file, and reads > the key and the certificate, properly formed evidently, Pound is > working, and processing SSL requests. > > IE tells me my certificate is wrong, same certificate as before the > 1/7/2004 problem, but allows me to continue, Verisign intermediate cert > is expired 1/7/2004, same problem. > > Mozilla 1.4 tells me error -8101, which looked up, certificate of wrong > type. Bad CSR? > > After emailing the development team for Pound, here's some important > facts... Pound doesn't actively "run" OpenSSL, it uses the keys and > certificates only (not Apache-like). On the configure step for > installing Pound, you use a flag ./configure --with-ssl=/etc/ssl/ for > OpenSSL's home directory. Also ran SuSE's /usr/bin/c_rehash script > before configure and make, to update certificate "registry hash". For > security audit reasons, Pound starts up, looks at a config file and > cert/key file, and does a root jail. > > Questions: > > Is this a certificate chain problem, do I need to update the > intermediate certificate, or is it included with a new OpenSSL like > 0.9.7b.... How would I do that on SuSE 9.0? > > Is this a CSR generation problem? Did I form the CSR command correctly > for a Verisign Class 3 128bit certificate? If not, what command should > I use? > > Or Both? > > > > Unfortunately, this proxy is production, and I get to try to adjust it > after business hours. There's no URL to look at, when I'm not testing. > The self-signed version is working and in place for production. >
If you use the command: openssl s_client -connect hostname:portnum -showcerts it will output the certificate chain the server uses. You can then examine them using (for example): openssl x509 -in cert.pem -text -noout to see if the full chain is being sent. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
