>Hello, >> We have a web server running on Apache/Tomcat platform (Sun Solaris 10) >> with a VeriSign certificate. I'm trying to use the same certificate with >> openssl 0.9.8f for my stand-alone web services application (listening on >> separate ports, of course). So I followed the procedure as in >> http://mark.foster.cc/wiki/index.php/Keytool_to_OpenSSL_Conversion_tips >> to convert the certificate and key files. In short, the PEM converted >> private key file and certificate file are combined to come up with final >> server key file. >> When tested with 'openssl s_server' and 'openssl s_client', the client >> side complains as follows: >> >> (on server side) % openssl s_server -cert converted_key_certificate.pem >> (on client side) % openssl s_client >> >> depth=0 /C=US/ST=California/L=San Jose/O=Aeris Communications, >> Inc./OU=Unknown/OU=.. >> verify error:num=20:unable to get local issuer certificate >> verify return:1 >> >> If I provide the intermediate CA certificate from VeriSign on the client >> side, then I get different error message as follows: >> >> (on client side) % openssl s_client -CAfile >> converted_intermediate_CA_from_VeriSign.pem >> >> verify error:num=2:unable to get issuer certificate >> issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary >> Certification Authority' >> verify return:0 >This means that this is intermediate certificate, you should get from >VeriSign full CA certificate chain. >Display your certificate subject/issuer: > $ openssl x509 -in your_cert.pem -noout -subject -issuer >next, get CA certificate witch have "subject" as your cert "issuer" and >display this two "fields" of this CA certificate, if subject != issuer >get next intermediate CA certificate witch have "subject" as this CA >cert issuer, go up until last CA's subject == issuer. >Next copy all this CA certs to CA.pem and use as CA certs. >You may also easy verify your cert against CA certs with command: > $ opnessl verify -CAfile CA.pem your_cert.pem >
Just a thought .... would "s_client -verify 1" have worked in this case where he indeed has one intermediate CA cert (and mostly the first CA cert in the chain) available to verify the server cert against ? ~ Urjit DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
