Darren, After you created the CSR, you are asking the company(X) you're working with to sign the CSR so anyone trusting X would also trust your certificate. Since X signed your CSR, it is acting in the Certificate Authority(CA) capacity. In order for your SSL communication to work, you need to trust X in your trusted CA list. I don't know how perl stores the list of CAs but you need to add it. By default there should already be a sizable list containing VeriSign, Entrust, Equifax, Thawte, etc. After you add X as a trusted CA, you need to install the certificate it signed as your client certificate. Now let's go through the SSL negotiation in detail--I'll only focus on the certificate. After you connect to the server, you send a Client Hello A using the SSL protocol you set--SSL2, SSL3, or TLS1. The server will send back a Server Hello A along with its certificate. In this case, most likely the server certificate is also signed by X. From what I can see, you didn't trust the CA of the certificate sent by the server and thus you cannot verify the server certificate. Assume you trusted X as a CA, you use the CA's public key to verify that the server certificate is really signed by the CA using the CA's public key. If the server wants to verify you as a client, it will send a client certificate request. You will then need to send back your client certificate that X signed. The server will check your certificate and verify who you are. There are additional steps such as cipher negotiation, setting shared master secrets and other steps that take place during the initial handshake. But as far as the certificates go, I think that is pretty much it.
/han -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Nay Sent: Monday, December 05, 2005 5:06 PM To: openssl-users@openssl.org Subject: CA certificate question Hey All, I am relatively "SSL Stupid" .. self admittedly. :) I am trying to use a certificate that was assigned to me by a company whom we are working with and I am having some problems and wondering if I can get some assistance. I generated a standard 1024 bit RSA private key and CSR and then was issued a certificate by this company. Then when I received the certificate I was told that I also need to use this companies root CA in order to use it. So they also sent me the necessary root CA cert. This is where I get lost.... :) Now, I am trying to get my perl app to use these to make an HTTPS request and am having problems. Now, I am -very- experienced with perl and have done several HTTPS implementations in the past but never with a non-public SSL certificate. I've always used SSL certs assigned by Thawte, Verisign, etc.. Can anyone help me out here? Is there some special config I need to do with OpenSSL to make this work? The errors that I am getting from the perl LWP module when posting with HTTPS in debug mode are: -------- SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A SSL3 alert write:fatal:unknown CA SSL_connect:error in SSLv3 read server certificate B SSL_connect:error in SSLv3 read server certificate B SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A SSL3 alert write:fatal:bad certificate SSL_connect:error in SSLv3 read server certificate B SSL_connect:before/connect initialization SSL_connect:SSLv2 write client hello A SSL_connect:error in SSLv2 read server hello B 500 (Internal Server Error) SSL negotiation failed: error:1407E086:SSL routines:SSL2_SET_CERTIFICATE:certificate verify failed Client-Date: Mon, 05 Dec 2005 22:01:38 GMT 500 SSL negotiation failed: error:1407E086:SSL routines:SSL2_SET_CERTIFICATE:certificate verify failed at ../test.pl at line 35 -------- Also, FYI, I know that this isn't a perl mailing list but perhaps this will help as well. I am setting the CA_FILE and CA_DIR ENV variables in perl for the Crypt:SSLeay module which if I am not mistaken should tell it where to look for the root CA. $ENV{HTTPS_CA_DIR} = '/home/web/lib/ssl/'; $ENV{HTTPS_CA_FILE} = 'my-root.cert'; Any Ideas? Any help at all would be very much appreciated! Thanks so much, Darren Nay [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]