Re: ssl cert bring in after csr was send.. howto

Mon, 19 Mar 2007 08:59:33 -0800 

Thanks Victor for your help

STARTTLS=server, error: SSL_CTX_check_private_key failed(/demoCA/serverkey.pem)

the new cert I called serverkey.pem   how do I creat the key for this file

Mike


On 3/19/07, Victor Duchovni <[EMAIL PROTECTED]> wrote:

On Mon, Mar 19, 2007 at 10:58:19AM -0400, Michael Fedor wrote:

> I created that...just to get ssl/tls working   how  and what do I do
> with the files they sent me

Ensure that all 4 files are in PEM format. For each file try:

    openssl x509 -in type_name_of_file_here -noout -issuer -subject

if that fails try:

    openssl x509 -inform DER -in name_of_file_here -noout -issuer -subject

if this succeds convert to PEM:

    openssl x509 -inform DER -in name_of_file_here \
        -out name_of_file_here.tmp.pem

then create a single file with the 4 certs in reverse order:

    cat \
        PEM_file_with_server_cert.pem \
        PEM_file_with_netsol_cert.pem \
        PEM_file_with_utna_cert.pem \
        PEM_file_with_external_root_ca_cert.pem  > newcert.pem

Use that as your server "certificate" file provided that your MTA is
configured to look for the private key in a separate file. Otherwise
make sure "newcert.pem" is owned by "root" mode "0600" and also append
the private key in PEM format.

This is an MTA question, not an OpenSSL question. Read the TLS docs
for your MTA and if that fails, Ask for help on the forum for your MTA
(likely Sendmail, given that it includes "HELP" in its EHLO response).

> >> They send me 4 files
> >>
> >> 1 AddTrustExternalCARoot.ca  trust root
> >>
> >> 2 UTNAddTrustServer_CA.crt   intermediate ca
> >>
> >> 3 NetworkSolutions_CA.crt  intermediate ca
> >>
> >> 4 (domain) ther.com    domain cert
> >>
> >
> >If they are your CA, it seems unlikely that they would send you a
> >self-sign certificate for your server.
> >
> >> Certificate chain
> >> 0 s:/C=US/ST=NY/O=Reserve Management Corporation/CN=smtp1.ther.com
> >>   i:/C=US/ST=NY/O=Reserve Management Corporation/CN=smtp1.ther.com
> >
> >Your server certificate is self-signed, rather than signed by  one
> >of the above CAs.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to