On Sat, Mar 07, 2009 at 01:12:38PM -0500, Paul Hart wrote:
> Hi,
>
> I'm running into an issue (with both 0.9.7l and 0.9.8g) where I'm
> attempting to connect to a server with a client certificate and what
> appears to be a complete chain of server certificates, and yet I'm
> still getting the 'unknown ca' error.
>
> My command line is:
>
> openssl s_client \
> ?-connect [HOST]:443 \
> ?-CAfile server_chain.pem \
> ?-cert client_keypair.pem \
> ?-key client_keypair.pem
Don't put your trust chain the CAfile, that's for validating server certs,
rather make sure you client_keypair.pem file also contains additional
CA certs as required, first the client cert, then the itermediate CA
that signed it, ... up to the root CA cert which is optional.
> To my (admittedly noob-ish) eyes, it appears that everything in the
> chain has been validated successfully. If I remove the -CAfile
> parameter, I get the following output (again 0.9.8g on Ubuntu):
You are happy with the server cert, but the server is not happy with your
(client) cert.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
