> From: owner-openssl-us...@openssl.org On Behalf Of Ron Arts > Sent: Tuesday, 11 January, 2011 17:52
> I just renewed my Thawte webserver certificate. This > certicifate seems to work fine > with various browsers I tried, but it curl, wget on CentOS > 5.5 are not able to verify it: <snip> > I followed these instructions on the above page: > > o openssl s_client -connect xxxxx.com:443 |tee logfile > o type "QUIT", followed by the "ENTER" key > o The certificate will have "BEGIN CERTIFICATE" and "END > CERTIFICATE" markers. That gets you the *server* (entity) cert, which is only useful as a CAcert if the server cert is selfsigned, which yours isn't. Yours is actually at level 3, under (according to FF 3.5) C=US, O=Thawte, Inc., CN=Thawte SSL CA C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA You need to either 1) put those *two* certs in your client cacert file if not already there (OpenSSL always verifies the whole chain up to root) or 2) have your server send the level2 cert as a 'chain' cert AND put the level1 cert in your client cacert file if not already there ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
