> If the client certs require chain certs additional to (below > or beside) those in your file, and some clients are sending > those chain certs but other clients (e.g. Windows 7) are not, > that would cause the symptom without any cert(s) being actually > invalid. To test this, get the chain cert(s) sent by the client > in a file and insert -untrusted chainfile.pem on commandline > verify. (Note this option is not in the -? usage summary.)
The client's cert is on a smart card. If the client accesses our site via XP- never any problems. If the same client tries to access the site via Win7- it might work and it might not. When it doesn't work, we see the " FAILED:unable to get local issuer certificate" in the log. I'm not understanding your test. I could get them to export their certificate (without priv. key). Am I to run "openssl verifiy -untrusted clientcert.pem"? What will this tell me? Thanks for your help. Curtis N. Tammany Lead Web Application Developer, National Security & Defense Systems Engineering and Technology URS 16156 Dahlgren Road Dahlgren, Virginia, 22448 curtis.tamm...@urs.com 540.663.9507 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
