On Fri, Nov 03, 2006, Clem Taylor wrote: > Hi, > > I am trying to add a self signed root certificate to Firefox (1.5.0.7) > that was generated with openssl and is connecting to an openssl 0.9.7e > based httpd (acme mini_httpd). The certificate was created with > openssl 0.9.8a. > > I can connect to the httpd just fine with firefox, but when I add the > root certificate to firefox's certificate authority store and connect > to the web server I get: "Could not establish an encrypted connection > because certificate presented by <host> is invalid or corrupted. Error > Code: -8182". Firefox seems to think that the root certificate is > valid and 'openssl verify' says that the httpd cert is valid (using > the root cert). > > The httpd reports: > 331:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad > certificate:s3_pkt.c:1052:SSL alert number 42 > > wireshark shows the same error: > TLSv1 Alert (level: fatal, description: bad certificate) > > So I haven't got the slightest idea what is bad about the certificate. > I'm creating the certs using fairly standard steps, based on the CA.pl > script. > > The root certificate is a self signed 2048 bit DSA cert: > openssl dsaparam -genkey -out $caDsaFile 2048 > openssl req -config $conf -batch -nodes -new -subj "$subj" \ > -days $days -newkey dsa:$caDsaFile \ > -keyout $caKeyFile -out $caReqFile -outform PEM > openssl ca -config $conf -batch -notext -selfsign -days $days \ > -extensions v3_ca -out $caCertFile -keyfile $caKeyFile -in $caReqFile > > The httpd cert is a 2048 bit RSA cert signed by the root cert above: > openssl req -config $conf -batch -nodes -subj "$subj" -days $days \ > -newkey rsa:2048 -keyout $keyFile -keyform PEM \ > -out $reqFile -outform PEM \ > openssl ca -config $conf -batch -notext -days $days \ > -keyfile $caKeyFile -cert $caCertFile \ > -in $reqFile -out $certFile \ > > Any ideas what could be the problem here? The 2048 bit DSA key is a > bit large, but this is for an embedded product that should have a > fairly long lifespan, so I figured a few extra bits can't hurt. >
It might be the 2048 bit DSA cert it doesn't like. Try with a 1024 bit DSA key or a 2048 bit RSA key. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
