VeriSign certificate with openssl

Tue, 16 Oct 2007 12:06:57 -0700 

Hi All,
We have a web server running on Apache/Tomcat platform (Sun Solaris 10) with a VeriSign certificate. I'm trying to use the same certificate with openssl 0.9.8f for my stand-alone web services application (listening on separate ports, of course). So I followed the procedure as in http://mark.foster.cc/wiki/index.php/Keytool_to_OpenSSL_Conversion_tips to convert the certificate and key files. In short, the PEM converted private key file and certificate file are combined to come up with final server key file. When tested with 'openssl s_server' and 'openssl s_client', the client side complains as follows: 

  (on server side) % openssl s_server -cert converted_key_certificate.pem
  (on client side) % openssl s_client


  depth=0 /C=US/ST=California/L=San Jose/O=Aeris Communications, 
Inc./OU=Unknown/OU=..

  verify error:num=20:unable to get local issuer certificate
  verify return:1


If I provide the intermediate CA certificate from VeriSign on the client 
side, then I get different error message as follows:



  (on client side) % openssl s_client -CAfile 
converted_intermediate_CA_from_VeriSign.pem


  verify error:num=2:unable to get issuer certificate

  issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary 
Certification Authority'

  verify return:0

I contacted VeriSign, but they don't seem to care about openssl.

My questions are:

(1) Is the VeriSign certificate web server platform specific? (I don't 
believe so, but just double check.)

(2) Is there any reference for this type of certificate conversion?

(3) What's the right sequence/contents of the server key file with 
certificate (in PEM format)?

(4) Does the VeriSign's intermediate CA certificate play any role here?
(5) Do I need to get/specify a certain CA certificate on the client side?

    The cacerts.pem file that comes with openssl installation doesn't 
seem to work in this case.

    The cacerts.pem file from gSoap doesn't work either.

Thanks in advance,

Dennis Kim

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]






















					Reply via email to