On Wed, May 02, 2012, Tammany, Curtis wrote: > > If the client certs require chain certs additional to (below > > or beside) those in your file, and some clients are sending > > those chain certs but other clients (e.g. Windows 7) are not, > > that would cause the symptom without any cert(s) being actually > > invalid. To test this, get the chain cert(s) sent by the client > > in a file and insert -untrusted chainfile.pem on commandline > > verify. (Note this option is not in the -? usage summary.) > > The client's cert is on a smart card. If the client accesses our site via XP- > never any problems. If the same client tries to access the site via Win7- it > might work and it might not. When it doesn't work, we see the " FAILED:unable > to get local issuer certificate" in the log. > > I'm not understanding your test. I could get them to export their certificate > (without priv. key). > Am I to run "openssl verifiy -untrusted clientcert.pem"? What will this tell > me? >
It sounds like some clients have the correct intermediate certificate(s) installed and some do not. They should select the certificate, click the "view" button and see if the certificate path is complete (i.e. it says it is OK). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
