> I would like to know the correct sequence of openssl commands to generate > the certificate files on server S and client C. It sounds like you need something like this: http://www.g-loaded.eu/2005/11/10/be-your-own-ca/.
Under "Create a Server certificate", the article above puts the server's DNS name in the Common Name (CN). That's not really correct since both the CA/Browser Forums and the IETF want the server's name in the Subject Alt Names (SAN) attributes. Put a friendly name in the CN (like "Example Company"), and put the DNS name in the SAN (like www.example.com). OpenSSL also provides a certificate HowTo, but it does not cover the private/internal CA. See https://www.openssl.org/docs/HOWTO/certificates.txt. You can use s_client to test/verify your setup: openssl s_client -connect <server>:<port> -CAfile <internal ca> It should complete with "Verify OK (0)" or similar. Jeff On Wed, Jul 23, 2014 at 4:24 PM, Daniel Bertrand <danieljamesbertr...@me.com> wrote: > Hi, > > I have inherited some c code which implements client/server communication. > The certs expired last week and there is no documentation as to how the > certs were generated. > > I would like to know the correct sequence of openssl commands to generate > the certificate files on server S and client C. where server S creates the > CA file, and signs the certificates for use with client C. > > I am assuming that I have to strip the password to make a PKCS#12 file so > that the server trusts the client program. > > The code fragment which reports that we have a problem with the issuer is as > follows: > > int verify_callback(int preverify_ok, X509_STORE_CTX *store) > { > log_message("verify_callback(int preverify_ok, X509_STORE_CTX *store)\n"); > if (!preverify_ok) > { > char data[256]; > X509 *cert = X509_STORE_CTX_get_current_cert(store); > int depth = X509_STORE_CTX_get_error_depth(store); > int err = X509_STORE_CTX_get_error(store); > > fprintf(stderr, "Error with certificate at depth: %i\n", depth); > log_message("Error with certificate at depth: %i\n", depth); > > X509_NAME_oneline(X509_get_issuer_name(cert), data, 256); > fprintf(stderr, "issuer = %s\n", data); > log_message("Error with issuer\n"); > > X509_NAME_oneline(X509_get_subject_name(cert), data, 256); > fprintf(stderr, "subject = %s\n", data); > fprintf(stderr, "err %i:%s\n", err, X509_verify_cert_error_string(err)); > > } > return preverify_ok; > } > > Here is the log: > > Jul 23 12:00:40 Daemon started. > > Jul 23 12:00:40 init_ssl(void) > > Jul 23 12:00:40 thread_setup(void) > > Jul 23 12:00:40 SSL_CTX *setup_client_ctx(void) > > Jul 23 12:00:40 Loading CA file and/or directory was ok. > > Jul 23 12:00:40 Loading default CA file and/or directory was ok. > > Jul 23 12:00:40 Loading certificate from file was ok. > > Jul 23 12:00:40 Loading private key from file was ok. > > Jul 23 12:00:40 Setting cipher list was ok. > > Jul 23 12:00:40 Succeeded executing client = BIO_new_connect(address[0]) > > Jul 23 12:00:40 Succeeded executing BIO_do_connect(client) <= 0) > > Jul 23 12:00:40 Succeeded executing ssl = SSL_new(ctx) > > Jul 23 12:00:40 verify_callback(int preverify_ok, X509_STORE_CTX *store) > > Jul 23 12:00:40 verify_callback(int preverify_ok, X509_STORE_CTX *store) > > Jul 23 12:00:40 Error with certificate at depth: 0 > > > Jul 23 12:00:40 Error with issuer > > > Jul 23 12:00:40 Error creating SSL object. > > > Jul 23 12:00:40 Failed executing SSL_connect(ssl) <= 0 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
