If ca-cert.pem does not start with: -----BEGIN CERTIFICATE
or -----BEGIN TRUSTED CERTIFICATE then it got corrupted. You need to recopy it from one of your end-entity systems that has it as a trust anchor. This is the issue, and is what's causing the problem. -Kyle H On 12/16/06, Alex <[EMAIL PROTECTED]> wrote:
On Fri, 15 Dec 2006 23:26:19 -0700 "Kyle Hamilton" <[EMAIL PROTECTED]> wrote: > I'm trying to retrace your steps to figure out where the bug could be > (and honestly, the diagnostics are not that helpful). However, there > is one more thing that I would like you to check: Is the file > ./ca-cert.pem in place, and does it contain a certificate? > > If it does not have the text "TRUSTED CERTIFICATE" in it, but it does > have "BEGIN CERTIFICATE", please do the following: > > cp ./ca-cert.pem ./ca-cert-orig.pem > openssl x509 -addtrust serverAuthentication -in ./ca-cert.pem -out > ./ca-cert2.pem > openssl x509 -addtrust clientAuthentication -in ./ca-cert2.pem -out > ./ca-cert3.pem > openssl x509 -addtrust emailProtection -in ./ca-cert3.pem > -out ./ca-cert.pem rm ca-cert2.pem ca-cert3.pem > > This will generate a trusted certificate from the (untrusted) CA > certificate. > > If ./ca-cert.pem does not exist, or does not have a "BEGIN > CERTIFICATE" in it, then your CA's certificate as it believes itself > to be is borked and needs to be re-copied. In this case, please > re-copy it, then try it again; if it still doesn't work, then go > through the script above. > > (Note: I view this as a bug, as well. On the TLS mailing list, > there's been a bit of a row pointing out that the "trust anchor" is > the CA's public key as it's distributed to the clients that trust it. > An X.509 CA certificate is a convenient container, but the certificate > itself is not the trust anchor.) > > -Kyle H All of three commands failed. I modified command two and three because they depend on the first command which failed. $ openssl x509 -addtrust serverAuthentication -in ./ca-cert.pem -out ./ca-cert2.pem Invalid trust object value serverAuthentication usage: x509 args $ openssl x509 -addtrust clientAuthentication -in ./ca-cert.pem -out ./ca-cert2.pem Invalid trust object value clientAuthentication usage: x509 args $ openssl x509 -addtrust emailProtection -in ./ca-cert.pem -out ./ca-cert2.pem unable to load certificate 4757:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: TRUSTED CERTIFICATE $ head ca-cert.pem BZh91AY&SY [...] (unprintable characters) $ openssl x509 -inform pem -in ca-cert.pem -noout -text unable to load certificate 8089:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: TRUSTED CERTIFICATE -- Alex
-- -Kyle H ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
