When I do that, I now get:
RAPTOR_$ openssl s_client -connect adtest:636 "-CAfile" certnew.pem
CONNECTED(00000003)
depth=0 /CN=adtest.altdomain2000.psccos.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=adtest.altdomain2000.psccos.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /CN=adtest.altdomain2000.psccos.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=adtest.altdomain2000.psccos.com
i:/C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca
---
Server certificate
<stuff deleted for brevity>
subject=/CN=adtest.altdomain2000.psccos.com
issuer=/C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca
---
Acceptable client certificate CA names
<a bunch of CA's listed, but NOT the local CA that issued the cert>
---
SSL handshake has read 3950 bytes and written 342 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID:
AF0A0000C37F50DE8F069E626AF23D763831B871E78B7AD0886FB042B6731262
Session-ID-ctx:
Master-Key:
BB25F868F436649E68039E54D6F712E3AFDB6E523DA3A0FB0E16A9470F9D3CCE
0379BC95A59325993587E6DC2680224B
Key-Arg : None
Start Time: 1159402472
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
bad select 38
I obviously have the wrong certificates, but I have no idea (as should also
be obvious) what certificates I really do need. The file I used as input
to the -CAfile switch is the "CA Certification Path" as downloaded from the
Windows box that runs the CA, and that I converted to PEM format. There's
something not kosher about that certificate, but darned if I have any idea
what.
Any more suggestions?
At 03:39 PM 9/27/2006, Richard Levitte - VMS Whacker wrote:
Hi Dan,
In message <[EMAIL PROTECTED]> on Mon, 25 Sep
2006 09:50:32 -0600, Dan O'Reilly <[EMAIL PROTECTED]> said:
dano> My CA is another system (Windows) and I requested it to create
dano> the trusted root certificate in PKCS7 format, which I copied to
dano> my VMS system. I can use OPENSSL PKCS7 to view the package
dano> contents, and it contains a single certificate. I then tried to
dano> do an OPENSSL VERIFY on that package, and it keeps coming up
dano> with "NO START LINE" and "EXPECTING: TRUSTED CERTIFICATE"
dano> errors. Finally, I tried "openssl s_clienit -connect
dano> <mydomain>:636 -certfore der -CAfile <pkcs7 package>
dano> and it comes up with the following:
You need to extract the certificate from that PKCS#7 package and use
the resulting file. Since OPENSSL PKCS7 will give you the certificate
in PEM format, the best you can probably do is save that in a .PEM
file, and then use it as follows:
openssl s_client -connect <yourdomain>:636 -CAfile <certfile>.PEM
Cheers,
Richard
-----
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.
--
Richard Levitte [EMAIL PROTECTED]
http://richard.levitte.org/
"When I became a man I put away childish things, including
the fear of childishness and the desire to be very grown up."
-- C.S. Lewis
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
------
+-------------------------------+----------------------------------------+
| Dan O'Reilly | "There are 10 types of people in this |
| Principal Engineer | world: those who understand binary |
| Process Software | and those who don't." |
| http://www.process.com | |
+-------------------------------+----------------------------------------+
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
