Darren,
        After you created the CSR, you are asking the company(X) you're
working with to sign the CSR so anyone trusting X would also trust your
certificate.  Since X signed your CSR, it is acting in the Certificate
Authority(CA) capacity.
        In order for your SSL communication to work, you need to trust X in
your trusted CA list.  I don't know how perl stores the list of CAs but you
need to add it.  By default there should already be a sizable list
containing VeriSign, Entrust, Equifax, Thawte, etc.  After you add X as a
trusted CA, you need to install the certificate it signed as your client
certificate.
        Now let's go through the SSL negotiation in detail--I'll only focus
on the certificate.  After you connect to the server, you send a Client
Hello A using the SSL protocol you set--SSL2, SSL3, or TLS1.  The server
will send back a Server Hello A along with its certificate.  In this case,
most likely the server certificate is also signed by X.  From what I can
see, you didn't trust the CA of the certificate sent by the server and thus
you cannot verify the server certificate.  Assume you trusted X as a CA, you
use the CA's public key to verify that the server certificate is really
signed by the CA using the CA's public key.  If the server wants to verify
you as a client, it will send a client certificate request.  You will then
need to send back your client certificate that X signed.  The server will
check your certificate and verify who you are. 
        There are additional steps such as cipher negotiation, setting
shared master secrets and other steps that take place during the initial
handshake. But as far as the certificates go, I think that is pretty much
it.

/han    
        

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Nay
Sent: Monday, December 05, 2005 5:06 PM
To: openssl-users@openssl.org
Subject: CA certificate question

Hey All,

I am relatively "SSL Stupid" .. self admittedly.  :)

I am trying to use a certificate that was assigned to me by a company 
whom we are working with and I am having some problems and wondering if 
I can get some assistance.

I generated a standard 1024 bit RSA private key and CSR and then was 
issued a certificate by this company.  Then when I received the 
certificate I was told that I also need to use this companies root CA in 
order to use it.  So they also sent me the necessary root CA cert.  This 
is where I get lost.... :)

Now, I am trying to get my perl app to use these to make an HTTPS 
request and am having problems.  Now, I am -very- experienced with perl 
and have done several HTTPS implementations in the past but never with a 
non-public SSL certificate.  I've always used SSL certs assigned by 
Thawte, Verisign, etc..

Can anyone help me out here?  Is there some special config I need to do 
with OpenSSL to make this work?

The errors that I am getting from the perl LWP module when posting with 
HTTPS in debug mode are:
--------
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL3 alert write:fatal:unknown CA
SSL_connect:error in SSLv3 read server certificate B
SSL_connect:error in SSLv3 read server certificate B
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL3 alert write:fatal:bad certificate
SSL_connect:error in SSLv3 read server certificate B
SSL_connect:before/connect initialization
SSL_connect:SSLv2 write client hello A
SSL_connect:error in SSLv2 read server hello B
500 (Internal Server Error) SSL negotiation failed: error:1407E086:SSL 
routines:SSL2_SET_CERTIFICATE:certificate verify failed
Client-Date: Mon, 05 Dec 2005 22:01:38 GMT

500 SSL negotiation failed: error:1407E086:SSL 
routines:SSL2_SET_CERTIFICATE:certificate verify failed at ../test.pl at 
line 35
--------

Also, FYI, I know that this isn't a perl mailing list but perhaps this 
will help as well.  I am setting the CA_FILE and CA_DIR ENV variables in 
perl for the Crypt:SSLeay module which if I am not mistaken should tell 
it where to look for the root CA.

$ENV{HTTPS_CA_DIR}   = '/home/web/lib/ssl/';
$ENV{HTTPS_CA_FILE}  = 'my-root.cert';

Any Ideas?  Any help at all would be very much appreciated!

Thanks so much,
Darren Nay
[EMAIL PROTECTED]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to