On Wed, Oct 11, 2006, Aaron Smith wrote: > Ok. This is hopefully a simple question, and one that I see > quite a bit in the archives. However, everything I've tried and gleaned > from searching the archives have come up nothing. I have server > certificate from a Microsoft Domain Controller that was created via MS's > certificate authority. I'm trying to get Openssl to connect to it, but > I get the now familiar "unable to get local issuer certificate" error > when using s_client. I have the CA certificate, and there is, to my > knowledge, no intermediate certificates. I have tried putting the CA > certificate into the certs directory defined in openssl.cnf with a > symbolic link of the cert's hash value pointing to it. I have tried > doing openssl verify -Cafile ./sandbox-ca.pem server-cert.pem and still > get the same error. Now, my assumption is that if I try to do a verify > on a server certificate and provide (via the -Cafile option) that SHOULD > be all it needs to verify the certificate correct? Is there something > wrong with my certs? I've provided both in the email so that maybe > someone can point out what the problem is: >
The problem is that the subject key identifier (SKID) of the issuer certifcate does not match the authority key identifier (AKID) of the server certificate. You can see this for yourself by doing: openssl x509 -in cert.pem -text -noout So whatever generated the certificates needs to be configured so it correctly uses the same value for AKID in the server as SKID in the CA. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
