Hi Sachin: On July 29, 2008 09:53:47 am Sachin Puttur wrote: > Hi, > The Self signed Certificate is created in Windows server 2008 as given > below.We have created the certificate file hpcpb.cer. > > Then we will follow below steps in linux machine . > > 1) openssl x509 -in test.cer -inform d -out hpcbp.pem > > > 2) cp hpcbp.pem /usr/share/ssl/certs/. > > 3) c_rehash > This is probably not doing what you think it is doing... what are you trying to do here?
> 4) I am issuing below command from Linux machine(blrm188) to connect the > machine where windows server 2008 is installed . > openssl s_client -connect blrm188.hpccluster:443 > Ok > [EMAIL PROTECTED] HPCBP]# openssl s_client -connect blrm188.hpccluster:443 > CONNECTED(00000003) > depth=0 /CN=BLRM188.HPCCLUSTER > *verify error:num=20:unable to get local issuer certificate* > verify return:1 > depth=0 /CN=BLRM188.HPCCLUSTER > *verify error:num=21:unable to verify the first certificate* > verify return:1 And there is your error - unable to get local issuer certificate... for a self signed certificate, this is 100% expected. First of all, you aren't specifying a "-CAPath /usr/share/ssl/certs/" that would possibly allow openssl to find the Self signed certificates. The second thing, is that OpenSSL is expecting to find a certificate with "BasicConstraints = CA:True" and "Key Usage = certSign" for the issuer certificate. Since the certificate that you are using says that it is only valid for Web Authentication, then it isn't permissible for that certificate to sign itself (that's what certSign is about). Anyways - I strongly recommend either just purchasing a correct certificate, or setting up your CA correctly to generate valid certificates. Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
