Thanks for the quick response.
The missing piece was Root CA certificate. I downloaded (1) VeriSign's
intermediate CA cert from VeriSign web site and (2) VeriSign's Root CA
from IE browser, and put them into one CA cert file. As you described,
the subject-issuer chain is now complete. Verification is also ok:
$ opnessl verify -CAfile CA.pem my_cert.pem
my_cert.pem: OK
Another test using openssl s_server/s_client is successful, too!
A follow-up question just for double check. The my_cert.pem file
consists of two parts: [RSA private key] and [certificate (public key)].
Is this the correct sequence? I saw a certificate file that contains
three parts: [certificate (?)], [RSA private key], [certificate (public
key)]. We don't need anything from intermediate CA certificate in this
my_cert file?
Thanks, again.
- Dennis
Marek Marcola wrote:
Hello,
We have a web server running on Apache/Tomcat platform (Sun Solaris 10)
with a VeriSign certificate. I'm trying to use the same certificate with
openssl 0.9.8f for my stand-alone web services application (listening on
separate ports, of course). So I followed the procedure as in
http://mark.foster.cc/wiki/index.php/Keytool_to_OpenSSL_Conversion_tips
to convert the certificate and key files. In short, the PEM converted
private key file and certificate file are combined to come up with final
server key file.
When tested with 'openssl s_server' and 'openssl s_client', the client
side complains as follows:
(on server side) % openssl s_server -cert converted_key_certificate.pem
(on client side) % openssl s_client
depth=0 /C=US/ST=California/L=San Jose/O=Aeris Communications,
Inc./OU=Unknown/OU=..
verify error:num=20:unable to get local issuer certificate
verify return:1
If I provide the intermediate CA certificate from VeriSign on the client
side, then I get different error message as follows:
(on client side) % openssl s_client -CAfile
converted_intermediate_CA_from_VeriSign.pem
verify error:num=2:unable to get issuer certificate
issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary
Certification Authority'
verify return:0
This means that this is intermediate certificate, you should get from
VeriSign full CA certificate chain.
Display your certificate subject/issuer:
$ openssl x509 -in your_cert.pem -noout -subject -issuer
next, get CA certificate witch have "subject" as your cert "issuer" and
display this two "fields" of this CA certificate, if subject != issuer
get next intermediate CA certificate witch have "subject" as this CA
cert issuer, go up until last CA's subject == issuer.
Next copy all this CA certs to CA.pem and use as CA certs.
You may also easy verify your cert against CA certs with command:
$ opnessl verify -CAfile CA.pem your_cert.pem
Best regards,
