I'm trying to retrace your steps to figure out where the bug could be (and honestly, the diagnostics are not that helpful). However, there is one more thing that I would like you to check: Is the file ./ca-cert.pem in place, and does it contain a certificate?
If it does not have the text "TRUSTED CERTIFICATE" in it, but it does have "BEGIN CERTIFICATE", please do the following: cp ./ca-cert.pem ./ca-cert-orig.pem openssl x509 -addtrust serverAuthentication -in ./ca-cert.pem -out ./ca-cert2.pem openssl x509 -addtrust clientAuthentication -in ./ca-cert2.pem -out ./ca-cert3.pem openssl x509 -addtrust emailProtection -in ./ca-cert3.pem -out ./ca-cert.pem rm ca-cert2.pem ca-cert3.pem This will generate a trusted certificate from the (untrusted) CA certificate. If ./ca-cert.pem does not exist, or does not have a "BEGIN CERTIFICATE" in it, then your CA's certificate as it believes itself to be is borked and needs to be re-copied. In this case, please re-copy it, then try it again; if it still doesn't work, then go through the script above. (Note: I view this as a bug, as well. On the TLS mailing list, there's been a bit of a row pointing out that the "trust anchor" is the CA's public key as it's distributed to the clients that trust it. An X.509 CA certificate is a convenient container, but the certificate itself is not the trust anchor.) -Kyle H On 12/15/06, Alex <[EMAIL PROTECTED]> wrote:
On Fri, 15 Dec 2006 19:02:35 -0700 "Kyle Hamilton" <[EMAIL PROTECTED]> wrote: > What are the contents of your openssl.cnf? Are you using precisely > the same configuration you were using with earlier versions of > openssl? > > If you have the ability to use an older version of openssl with the > same configuration file, does it currently work? > > -Kyle H > # $Id: openssl.cnf,v 1.2 2004/01/22 19:27:32 jmates Exp $ # # OpenSSL configuration file for custom Certificate Authority. Use a # different openssl.cnf file to generate certificate signing requests; # this one is for use only in Certificate Authority operations (csr -> # cert, cert revocation, revocation list generation). # # Be sure to customize this file prior to use, e.g. the commonName and # other options under the root_ca_distinguished_name section. HOME = . RANDFILE = $ENV::HOME/.rnd [ ca ] default_ca = CA_default [ CA_default ] dir = . # unsed at present, and my limited certs can be kept in current dir #certs = $dir/certs new_certs_dir = $dir/newcerts crl_dir = $dir/crl database = $dir/index certificate = $dir/ca-cert.pem serial = $dir/serial crl = $dir/ca-crl.pem private_key = $dir/private/ca-key.pem RANDFILE = $dir/private/.rand x509_extensions = usr_cert # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt = ca_default cert_opt = ca_default default_crl_days= 30 default_days = 730 # if need to be compatible with older software, use weaker md5 default_md = sha1 # MSIE may need following set to yes? preserve = no # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # For the CA policy [ policy_match ] countryName = supplied stateOrProvinceName = optional organizationName = match organizationalUnitName = supplied commonName = supplied emailAddress = supplied # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ req ] default_bits = 4096 default_keyfile = ./private/ca-key.pem default_md = rmd160 prompt = no distinguished_name = root_ca_distinguished_name x509_extensions = v3_ca # Passwords for private keys if not present they will be prompted for # input_password = secret # output_password = secret # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings # so use this option with caution! string_mask = nombstr # req_extensions = v3_req [ root_ca_distinguished_name ] commonName = xxx countryName = US stateOrProvinceName = xxx localityName = xxx 0.organizationName = xxx emailAddress = xxx [ usr_cert ] # These extensions are added when 'ca' signs a request. # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=CA:FALSE # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always #nsCaRevocationUrl = https://www.sial.org/ca-crl.pem #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always # This is what PKIX recommends but some broken software chokes on critical # extensions. #basicConstraints = critical,CA:true # So we do this instead. basicConstraints = CA:true [ crl_ext ] # CRL extensions. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always -- Alex
-- -Kyle H ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
