Well, I figured out PART of my problem. Somehow
I got the wrong CA certificate. Once I got the right one, I can do a
successful s_client connect as long as I provide the –Cafile argument to
point openssl to the correct CA file. However, if I try to do it without
the –Cafile argument, I get the same “unable to get local issuer”
problem. I don’t have a cacert.pem file on the system at all (this
is a stock Solaris 10 install). Everything openssl related appears to be
in /etc/sfw/openssl, including the openssl.cnf file. This file has the
following default options in the [CA_default] section:
dir =
/etc/sfw/openssl
certs =
$dir/certs
certificate =
$dir/cacert.pem
So, I take this to mean that openssl will
look for CA certificates in /etc/sfw/openssl/cacert.pem? I took the CA
certificate (that works) and put it in /etc/sfw/openssl with the name of
cacert.pem but it still couldn’t find it.
From: owner-openssl-users@openssl.org [mailto:owner-openssl-users@openssl.org] On Behalf Of Vincenzo Sciarra
Sent: Thursday, October 12, 2006
4:29 AM
To: openssl-users@openssl.org
Subject: Re: Certificate
Verification
Try to add the CA certificate to cacert.pem default openssl CA
certificate
cat MScaCERT.pem >> cacert.pem
2006/10/12, Dr. Stephen Henson <[EMAIL PROTECTED]>:
On Wed, Oct 11, 2006, Aaron Smith
wrote:
>
Ok. This is hopefully a simple question, and one that I see
> quite a bit in the archives. However, everything I've tried and
gleaned
> from searching the archives have come up nothing. I
have server
> certificate from a Microsoft Domain Controller that was created via MS's
> certificate authority. I'm trying to get Openssl to connect to
it, but
> I get the now familiar "unable to get local issuer certificate"
error
> when using s_client. I have the CA certificate, and there is,
to my
> knowledge, no intermediate certificates. I have tried putting
the CA
> certificate into the certs directory defined in openssl.cnf with a
> symbolic link of the cert's hash value pointing to it. I have
tried
> doing openssl verify -Cafile ./sandbox-ca.pem server-cert.pem and still
> get the same error. Now, my assumption is that if I try to do a
verify
> on a server certificate and provide (via the -Cafile option) that SHOULD
> be all it needs to verify the certificate correct? Is there
something
> wrong with my certs? I've provided both in the email so that
maybe
> someone can point out what the problem is:
>
The problem is that the subject key identifier (SKID) of the issuer certifcate
does not match the authority key identifier (AKID) of the server certificate.
You can see this for yourself by doing:
openssl x509 -in cert.pem -text -noout
So whatever generated the certificates needs to be configured so it correctly
uses the same value for AKID in the server as SKID in the CA.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL
Project
http://www.openssl.org
User Support Mailing
List openssl-users@openssl.org
Automated List
Manager
[EMAIL PROTECTED]
--
Vincenzo Sciarra
