Hello,
> > > >>Trying to test certs before moving on to LDAP tests. The certs were
> > > >>obtained from a CA running on a MS box. Here's what happens:
> > > >>
> > > >>openssl s_client -connect adtest:636 -cert foo.pem "-CAfile" homeca_ce
> > > >>rt_chain.p7b
> >
> >The above command is the problem. You can't use a PKCS#7 (.p7b) file directly
> >in the -CAfile command.
> >
> > >
> > > openssl pkcs7 -inform der -in homeca_cert_chain.p7b -noout -print_certs
> > > -text
> >
> >Use the above command to say the certificate to a PEM file. For exampl
> >home_ca.pem and use that file for the -CAfile.
>
> It doesn't change anything. Same error.
>
> openssl s_client -connect adtest:636 "-CAfile" homeca_cert_chain.pem
> CONNECTED(00000003)
> depth=0 /CN=adtest.altdomain2000.psccos.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /CN=adtest.altdomain2000.psccos.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /CN=adtest.altdomain2000.psccos.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
> 0 s:/CN=adtest.altdomain2000.psccos.com
> i:/C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca
To check if you have proper CA cert in homeca_cert_chain.pem execute:
$ openssl x509 -in homeca_cert_chain.pem -noout -subject -issuer
output should be something like:
subject= /C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca
issuer= /C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca
(provided that you have one certificate in homeca_cert_chain.pem)
If you do not have such certificate then you must download
proper CA cert.
Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
