Hi,
I'm also fairly new to OpenSSL, and I encountered a similar problem as yours, ending with the same error message.
In my case, I try to automate web connexion using a Perl script, with Crypt::SSLeay perl module, which finally use openssl.
After many hard days, a collegue of mine suggested me to use "truss" (on Unix) to trace open system calls.
And I discover that the script did not open correctly the certificate.
In the meantime, I also have understood that it is not enough to export a certificate.
And I think it's the point you also miss :
You shoud run openssl c_rehash command to create a "hash" entry (something like 6784379.O) which is simply a symbolic link
towards your exported certificate file.
This is the file required.
Well, it is only my experience, and I had not enough until now to find more explanation.
Hope it will help you !
Best Regards, J.L.P.
padma saxena wrote:
Since your problem is 'client certificates not
available', you should set SSLVerifyClient to 'optional'
This will let the server to continue the handshake even if the client does not have a certificate.
- Padma --- Golub Heath <[EMAIL PROTECTED]> wrote:
Sorry in advance but I am fairly new to OpenSSL and though I have read a lot .. .I just can't seem to get it right. Any help, even direction pointing (eg. a URL) would be greatly appreciative.
Problem: client certificates not available during SSL handshake
Description: I have a server certificate that was issued by an intermediate CA (DOD Class 3 CA-3) that was issued by the DOD Root CA (DoD CLASS 3 Root CA). Some DoD issued certificates (eg. those issued by the intermediate CA, DOD Class 3 CA-5) work correctly, but those issued by DoD Class 3 CA-8 do not work.
I think what I really just need to figure out is which certificates should go in my ca-bundle.crt file and which certificates should go in the intermediate-ca.crt file. (Should all intermediate CA certificates be added to the intermediate file?)
Steps Taken (where did I go wrong?):
1. I downloaded the DOD Root Certificates and
installed them for IE.
-http://www.onr.navy.mil/resources/instructions.asp
2. Using the certificate manager (mmc) in Windows
2000, I selected my
subordinate and root CAs and exported them to pkcs7
format (ended up with 2
files, 5 certs in the root ca file , 18 certs in the
subordinate list).
3. I ran openssl pkcs7 command to extract the certs
into text format.
openssl pkcs7 -inform DER -outform PEM -in
DoDRoot.p7b -out
DoDRoot-ca.crt -print_certs -text
openssl pkcs7 -inform DER -outform PEM -in
DoDSub.p7b -out
DoDSub-ca.crt -print_certs -text
4. Copied the files to my apache server
5. In httpd.conf
SSLCertificateChainFile
conf\ssl.crt\DoDSub-ca.crt
SSLCACertificateFile conf\ssl.crt\DoDRoot-ca.crt
SSLVerifyClient require
SSLVerifyDepth 2
I have also tried the certificates with just the DOD Class 3 CA-3 in the DoDSub-ca and all the rest in the DoDRoot-ca files. Any advice?
Thanks in advance, Heath Golub
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
-- Jean-Luc Pinardon TCL&ALCATEL Mobile Phones MTD Change & Configuration Management 165, Boulevard de Valmy mailto:[EMAIL PROTECTED] 92707 Colombes Cedex Phone : +33 1 55 66 77 54 France Fax : +33 1 55 66 33 37
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
