Hi group
I'm having problems trying to use a certificate I got from GoDaddy (it's a
wildcard cert) to sign client certificates requests and then validate them.
This is my actual environment:
- *mydomain.com.key* --> The private key used to request the GoDaddy's
cert
- *mydomain.com.crt* --> The certificate I got from GoDaddy
- *gd_bundle.crt* --> Bundle file sent by GoDaddy
I concatenated my cert with the bundle one and also with some others I found
at GoDaddy's repository [1] in my attempt to to have a valid chained root
with:
$ cat mydomain.com.crt gd_bundle.crt > combined_1.crt
$ cat mydomain.com.crt godaddy/gd_intermediate.crt > combined_2.crt
$ cat mydomain.com.crt godaddy/gd_cross_intermediate.crt > combined_3.crt
$ cat mydomain.com.crt godaddy/gd-class2-root.crt > combined_4.crt
$ cat mydomain.com.crt godaddy/ca_bundle.crt > combined_5.crt
Here I'm going to reproduce the steps I followed using the openssl command
line tools:
1. Create a client certificate signing request (CSR file), with a private
key, and using as 'Subject' for the cert the same attribute values that our
certificate's Issuer has.
2. Sign the request using my domain's private key and a CA file
(different in each test)
3. Export the client certificate to PKCS#12 format that browsers can
import
4. Verify the client certificate against differents CA certificates
(trying to see if it pass with someone)
So here's the command line steps I used:
# creating the client cert request using as subject the same values our
GoDaddy's cert has
$ openssl req -new -newkey rsa:1024 -nodes -subj '/CN=*.
mydomain.com/O=MyDomain, Inc./OU=MyDomain/C=US/ST=State/L=City' -keyout
test1.key -out test1.csr
Generating a 1024 bit RSA private key
...++++++
.........++++++
writing new private key to 'test1.key'
-----
# signing the csr using the same key used to get GoDaddy's cert
$ openssl x509 -req -days 365 *-CA mydomain.com.crt* -CAkey
mydomain.com.key -CAcreateserial -in test1.csr -out test1.crt
Signature ok
subject=/CN=*.mydomain.com/O=MyDomain,
Inc./OU=MyDomain/C=US/ST=State/L=City
Getting CA Private Key
# exporting the certificate into PCKS#12 (browser format)
$ openssl pkcs12 -export -inkey test1.key -out test1.pfx -in test1.crt
-name "Client Certificate - Test 1"
# Trying to VERIFY the client certificate against different CA files
$ openssl verify -CAfile mydomain.com.crt test1.crt
$ openssl verify -CAfile combined_1.crt test1.crt
$ openssl verify -CAfile combined_2.crt test1.crt
$ openssl verify -CAfile combined_3.crt test1.crt
$ openssl verify -CAfile combined_4.crt test1.crt
$ openssl verify -CAfile combined_5.crt test1.crt
In all the verification process I got the following output:
* test1.crt: /CN=*.mydomain.com/O=MyDomain,
Inc./OU=MyDomain/C=US/ST=State/L=City*
* error 20 at 0 depth lookup:unable to get local issuer certificate*
I run the above steps using different CA files (the combined ones I created)
to sign the requests and I always get the same result :(
What I'm missing here? How can I create and issue client certificates that
can be recognized?
I'd appreciate some light here :)
Thanks,
[1] https://certs.godaddy.com/anonymous/repository.seam
--
Ariel Diaz Bermejo
http://www.linkedin.com/in/adiazbermejo
