unknown ca certficate error

Sun, 30 Jul 2006 10:25:46 -0700

I have an SSL Certificate that I received from instantssl.com. The certificate is signed by UTN-USERFirst-Hardware (Root), then by AddTrustUTNServerCA (Intermediate), then my certificate. I've downloaded the PEM certificate files for my chain from here: 

http://www.instantssl.com/ssl-certificate-support/cert_installation/
I've taken these certificates and concatenated them and put them in /usr/share/ssl/certs/bundle.crt
I've installed the certificate in Apache/Mod SSL and have no issues. All browsers seem to verify the certificate chain fine. However, if I try to use s_client I get the following:
openssl s_client -connect mail.ascellatech.com:443 -CAfile /usr/share/ssl/certs/bundle.crt 

CONNECTED(00000003)
depth=1 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 
verify error:num=24:invalid CA certificate
verify return:0
---
Certificate chain
0 s:/C=US/2.5.4.17=22066/ST=Virginia/L=Great Falls/2.5.4.9=11378 Seneca Knoll Drive/O=Ascella Technologies, Inc./OU=InstantSSL/CN=mail.ascellatech.com i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware 
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE+zCCA+OgAwIBAgIQI3ObAu4JRTQefNjBZUNGDTANBgkqhkiG9w0BAQUFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTA2MDQwMjAwMDAwMFoXDTA4MDQyNzIzNTk1OVow
gcIxCzAJBgNVBAYTAlVTMQ4wDAYDVQQREwUyMjA2NjERMA8GA1UECBMIVmlyZ2lu
aWExFDASBgNVBAcTC0dyZWF0IEZhbGxzMSEwHwYDVQQJExgxMTM3OCBTZW5lY2Eg
S25vbGwgRHJpdmUxIzAhBgNVBAoTGkFzY2VsbGEgVGVjaG5vbG9naWVzLCBJbmMu
MRMwEQYDVQQLEwpJbnN0YW50U1NMMR0wGwYDVQQDExRtYWlsLmFzY2VsbGF0ZWNo
LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxEE09TmN//1S+/aLG8rX
dotMrBSipRPWgQYTCMqWtRegelv/v05Hd1boNEv37Y8U2s6FybRnOKhBqqdRk9l4
ovuTtGd5JocuO0yaCGAf73LuxikunM/ILLPpmfaobgTB+qjy6Dz/eMkvVMGniKlx
XH5ricz7lFyZvlRWSyYG2GMCAwEAAaOCAcEwggG9MB0GA1UdDgQWBBR1RFTTx+VD
Mg0FnIAXwyj4ZoHtNDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEQYJYIZIAYb4QgEBBAQDAgbAMEYG
A1UdIAQ/MD0wOwYMKwYBBAGyMQECAQMEMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8v
c2VjdXJlLmNvbW9kby5uZXQvQ1BTMHsGA1UdHwR0MHIwOKA2oDSGMmh0dHA6Ly9j
cmwuY29tb2RvY2EuY29tL0FkZFRydXN0RXh0ZXJuYWxDQVJvb3QuY3JsMDagNKAy
hjBodHRwOi8vY3JsLmNvbW9kby5uZXQvQWRkVHJ1c3RFeHRlcm5hbENBUm9vdC5j
cmwwgYYGCCsGAQUFBwEBBHoweDA7BggrBgEFBQcwAoYvaHR0cDovL2NydC5jb21v
ZG9jYS5jb20vQWRkVHJ1c3RVVE5TZXJ2ZXJDQS5jcnQwOQYIKwYBBQUHMAKGLWh0
dHA6Ly9jcnQuY29tb2RvLm5ldC9BZGRUcnVzdFVUTlNlcnZlckNBLmNydDANBgkq
hkiG9w0BAQUFAAOCAQEAaLYyMV07lK+VXnzO4WLwSMtuHldPUYWEx40xg/yuq0EY
Sb8hbnkmVp/3gU61p1bEJ9xPQkGYvWaD500Hh2+Uy2tW90VALimuNrOTZ1Ol/E73
xnTvcTdUTNunzVBol/0Pi6bH4rrt19SfTsYiTa5YDJ3KqWi7iHRdM9qROjlHYLLj
1eab/VmHDQPv2XFjm9TfLdK4ICpaEkvp6B3BDRNost2oqnq5YeRxoyYLR5e56Jae
KRXQBaqm3G8dGIb3OKqDmPZ2EhndDzR2m25AVQYeWao/+kmVrvQz4LM0j7qe8p6f
HZKyUyQiu6LY2XT/OkFpvMfla6HKxk9hKgHYZGgdRw==
-----END CERTIFICATE-----
subject=/C=US/2.5.4.17=22066/ST=Virginia/L=Great Falls/2.5.4.9=11378 Seneca Knoll Drive/O=Ascella Technologies, Inc./OU=InstantSSL/CN=mail.ascellatech.com issuer=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 
---
No client certificate CA names sent
---
SSL handshake has read 4100 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
Session-ID: 60ABE53629D3F7508E9867840C831002D150CD62D6D2EC4A80A1275C5E24EF4D 
    Session-ID-ctx:
Master-Key: 8D2FC6636D9FB094B9787FAA9FE74A095248730E5046E8EA408A1129F6184CD0F1E5FEC097EC249B982FC8314CA1C352 
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1154279456
    Timeout   : 300 (sec)
    Verify return code: 24 (invalid CA certificate)
---

Any idea why I am getting error code 24 (invalid CA certificate)?

Thanks
Amith



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to