Specifically, what can lead me backwards from the "Error with certificate at depth: 0, Error with issuer” error code?
I was hoping for a specific reason why this line X509_NAME_oneline(X509_get_issuer_name(cert), data, 256); is failing. Thanks Dan On Jul 23, 2014, at 5:25 PM, Jeffrey Walton <noloa...@gmail.com> wrote: >> I would like to know the correct sequence of openssl commands to generate >> the certificate files on server S and client C. > It sounds like you need something like this: > http://www.g-loaded.eu/2005/11/10/be-your-own-ca/. > > Under "Create a Server certificate", the article above puts the > server's DNS name in the Common Name (CN). That's not really correct > since both the CA/Browser Forums and the IETF want the server's name > in the Subject Alt Names (SAN) attributes. > > Put a friendly name in the CN (like "Example Company"), and put the > DNS name in the SAN (like www.example.com). > > OpenSSL also provides a certificate HowTo, but it does not cover the > private/internal CA. See > https://www.openssl.org/docs/HOWTO/certificates.txt. > > You can use s_client to test/verify your setup: > > openssl s_client -connect <server>:<port> -CAfile <internal ca> > > It should complete with "Verify OK (0)" or similar. > > Jeff > > On Wed, Jul 23, 2014 at 4:24 PM, Daniel Bertrand > <danieljamesbertr...@me.com> wrote: >> Hi, >> >> I have inherited some c code which implements client/server communication. >> The certs expired last week and there is no documentation as to how the >> certs were generated. >> >> I would like to know the correct sequence of openssl commands to generate >> the certificate files on server S and client C. where server S creates the >> CA file, and signs the certificates for use with client C. >> >> I am assuming that I have to strip the password to make a PKCS#12 file so >> that the server trusts the client program. >> >> The code fragment which reports that we have a problem with the issuer is as >> follows: >> >> int verify_callback(int preverify_ok, X509_STORE_CTX *store) >> { >> log_message("verify_callback(int preverify_ok, X509_STORE_CTX *store)\n"); >> if (!preverify_ok) >> { >> char data[256]; >> X509 *cert = X509_STORE_CTX_get_current_cert(store); >> int depth = X509_STORE_CTX_get_error_depth(store); >> int err = X509_STORE_CTX_get_error(store); >> >> fprintf(stderr, "Error with certificate at depth: %i\n", depth); >> log_message("Error with certificate at depth: %i\n", depth); >> >> X509_NAME_oneline(X509_get_issuer_name(cert), data, 256); >> fprintf(stderr, "issuer = %s\n", data); >> log_message("Error with issuer\n"); >> >> X509_NAME_oneline(X509_get_subject_name(cert), data, 256); >> fprintf(stderr, "subject = %s\n", data); >> fprintf(stderr, "err %i:%s\n", err, X509_verify_cert_error_string(err)); >> >> } >> return preverify_ok; >> } >> >> Here is the log: >> >> Jul 23 12:00:40 Daemon started. >> >> Jul 23 12:00:40 init_ssl(void) >> >> Jul 23 12:00:40 thread_setup(void) >> >> Jul 23 12:00:40 SSL_CTX *setup_client_ctx(void) >> >> Jul 23 12:00:40 Loading CA file and/or directory was ok. >> >> Jul 23 12:00:40 Loading default CA file and/or directory was ok. >> >> Jul 23 12:00:40 Loading certificate from file was ok. >> >> Jul 23 12:00:40 Loading private key from file was ok. >> >> Jul 23 12:00:40 Setting cipher list was ok. >> >> Jul 23 12:00:40 Succeeded executing client = BIO_new_connect(address[0]) >> >> Jul 23 12:00:40 Succeeded executing BIO_do_connect(client) <= 0) >> >> Jul 23 12:00:40 Succeeded executing ssl = SSL_new(ctx) >> >> Jul 23 12:00:40 verify_callback(int preverify_ok, X509_STORE_CTX *store) >> >> Jul 23 12:00:40 verify_callback(int preverify_ok, X509_STORE_CTX *store) >> >> Jul 23 12:00:40 Error with certificate at depth: 0 >> >> >> Jul 23 12:00:40 Error with issuer >> >> >> Jul 23 12:00:40 Error creating SSL object. >> >> >> Jul 23 12:00:40 Failed executing SSL_connect(ssl) <= 0 > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org
smime.p7s
Description: S/MIME cryptographic signature
