Thanks Victor. I believe this was the problem. I have now added server cert, private key and intermediate certificates in one file and reading them using SSL_CTX_use_certificate_chain_file() API.
But one thing I want to understand. My server certificate is self-signed. And intermediate certificates are signed by a root-CA cert. root-CA cert -self-signed. int1 - root-CA signed int2 - int1 signed . . Is this the right way of doing this? I don't understand how we connect the chain upto server certificate in such case. Can you please help me understand this problem? Thanks, Harshal On Mon, Mar 10, 2014 at 6:34 PM, Viktor Dukhovni <openssl-us...@dukhovni.org > wrote: > On Mon, Mar 10, 2014 at 01:38:46PM +0530, Harshal Talele wrote: > > > As a matter of fact with use of with use of > > SSL_CTX_use_certificate_chain_file() API SSL handshake continues to fail > > You must put all the PEM certificates (leaf certificate and intermediate > CAs) > in the *same* file. With the leaf (server certificate) first, its issuing > CA second, any issuer for that CA third and so on. > > You can also place the private key in the same file, or some other file. > > -----BEGIN PRIVATE KEY----- > ...server key... > -----END PRIVATE KEY----- > > -----BEGIN CERTIFICATE----- > ...server cert... > -----END CERTIFICATE----- > > -----BEGIN CERTIFICATE----- > ...server cert's issuer: CA1... > -----END CERTIFICATE----- > > -----BEGIN CERTIFICATE----- > ...CA1's issuer: CA2... > -----END CERTIFICATE----- > ... > > If the certificates and the key are in the same file, make sure > the file is not world-readable. > > > As you have mentioned Victor, I am using SSL_CTX_use_certificate_file() > API > > to read cert.pem which contains server certificate & private key. > > Now I have another file chain.pem which contains only intermediate > > certificates. > > You have split the leaf certificate from the intermediate issuing > CAs. DON'T. > > -- > Viktor. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
