wner-openssl-us...@openssl.org on behalf of Dr. Stephen Henson
Sent: Fri 3/13/2009 5:14 AM
To: openssl-users@openssl.org
Subject: Re: Can't recognize intermediate CA
On Thu, Mar 12, 2009, Rene Hollan wrote:
> True, but (a) it doesn't hurt to have both, and (b) if the issuer
> doe
On Thu, Mar 12, 2009, Rene Hollan wrote:
> True, but (a) it doesn't hurt to have both, and (b) if the issuer
> doesn't have a SKID, AKID issuer/serial takes the place of an AKID
> keyid.
>
The disadvantage is that if you want to support more than one intermediate CA
(cross certification for exa
On Thu, Mar 12, 2009, Rene Hollan wrote:
> Yup. That fixed it.. At least as far as openssl verify -CAfile
> cacert.pem -untrusted intcert2.pem yahoo-x.pem goes.
>
> Oddly, firefox still rejects the end cert, even though both cacert.pem
> and intcert2.pem are in it's trust store. Is it possible t
a nice cert chain).
>
>
> -Original Message-
> From: Rene Hollan
> Sent: Thursday, March 12, 2009 6:34 PM
> To: 'openssl-users@openssl.org'
> Subject: RE: Can't recognize intermediate CA
>
> Sigh.
>
> Well, I added the intermediate CA to the cert chain
enssl... :-)).
>
>
> -Original Message-
> From: owner-openssl-us...@openssl.org
> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson
> Sent: Thursday, March 12, 2009 4:23 PM
> To: openssl-users@openssl.org
> Subject: Re: Can't recogniz
enssl-users@openssl.org'
Subject: RE: Can't recognize intermediate CA
Sigh.
Well, I added the intermediate CA to the cert chain sent by my proxy
(and verified this with wireshark).
OpenSSL s_client -CAfile cacert.pem -host login.yahoo.com -port 443
works and shows the trust chain.
But
lains. :-(
-Original Message-
From: Rene Hollan
Sent: Thursday, March 12, 2009 5:39 PM
To: 'openssl-users@openssl.org'
Subject: RE: Can't recognize intermediate CA
Yup. That fixed it.. At least as far as openssl verify -CAfile
cacert.pem -untrusted intcert2.pem yahoo-x.pem g
: Thursday, March 12, 2009 4:23 PM
To: openssl-users@openssl.org
Subject: Re: Can't recognize intermediate CA
You can just leave out the issuer+serial number combination from AKID
too.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL
project core develope
enson
Sent: Thursday, March 12, 2009 4:23 PM
To: openssl-users@openssl.org
Subject: Re: Can't recognize intermediate CA
If it's any consolation you aren't alone with that, it gets commented on
quite often so much so in fact that it has an FAQ entry:
http://www.openssl.org/support
Sincerely,
Giang Nguyen
> Date: Fri, 13 Mar 2009 00:22:56 +0100
> From: st...@openssl.org
> To: openssl-users@openssl.org
> Subject: Re: Can't recognize intermediate CA
>
> On Thu, Mar 12, 2009, Rene Hollan wrote:
>
&g
On Thu, Mar 12, 2009, Rene Hollan wrote:
> Yeah, I just noticed that.
>
> I've been comparing how my intermediate CA resigned an existing cert
> (it's part of a proxy that decrypts, examines, and reencrypts -- the
> downstream client sharing a trust hierarchy with the intermediate
> "resigning" C
to:owner-openssl-us...@openssl.org] On Behalf Of Giang Nguyen
Sent: Thursday, March 12, 2009 4:56 PM
To: openssl-users@openssl.org
Subject: RE: Can't recognize intermediate CA
> I used openssl with the intermediate CA to sign a separate cert, which
> had a AKID keyid but no issuer, a
>> I used openssl with the intermediate CA to sign a separate cert, which
>> had a AKID keyid but no issuer, and that chain recongizes fine.
>>
>> Could the problem be the fact that yahoo.pem has an AKID keyid AND
>> issuer? (onr or the other is sufficient, but I could find nothing that
>> said th
> I used openssl with the intermediate CA to sign a separate cert, which
> had a AKID keyid but no issuer, and that chain recongizes fine.
>
> Could the problem be the fact that yahoo.pem has an AKID keyid AND
> issuer? (onr or the other is sufficient, but I could find nothing that
> said that bo
3:49 PM
> To: openssl-users@openssl.org
> Subject: RE: Can't recognize intermediate CA
>
>
> the cacert has pathlen:1 in its "X509v3 Basic Constraints"
>
>
>> Subject: Can't recognize intermediate CA
>> Date: Thu,
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Giang Nguyen
Sent: Thursday, March 12, 2009 3:49 PM
To: openssl-users@openssl.org
Subject: RE: Can't recognize intermediate CA
the cacert has pathlen:1 in its "X509v3 Basic Constraints"
---
the cacert has pathlen:1 in its "X509v3 Basic Constraints"
> Subject: Can't recognize intermediate CA
> Date: Thu, 12 Mar 2009 15:00:47 -0700
> From: rene.hol...@watchguard.com
> To: openssl-users@openssl.org
>
> I'
I'm tearing my hair out trying to get an intermediate CA to be
recognized.
I have cacert.pem signing intcert.pem signing (well, resigning),
yahoo.pem
Openssl verify verifiies intcert.pem against cacert.pem, but won't
verify yahoo.pem against intcert.pem.
Subject/issuer match. AKID dirname and is
ollan; 'openssl-users@openssl.org'
Subject: RE: Can't recognize intermediate CA
Corrected yahoo.pem:
-BEGIN CERTIFICATE-
MIIDojCCAoqgAwIBAgIYANIyCa0j0xQjIXTkDX+dYhOXhmM6BaBMMA0GCSqGSIb3
MIIDojCCAoqgAwIBAgIYANIyCa0j0xQjIXTkDX+DQEBBQUAMEwxI
/hclIGJec5uzlpCenVydGVgToddvpV7Qg4Z+Rap2xiXx63KugGSRjA/1tnR
sQ2OcZejF/Kjh7SHmM/NHIfSuraWJcayb4njNt8vKRYazfiFF8G2O7cOOe674KM9
TpMPay5Ei0HMRb1uQjRaFmxVd1RoKw==
-END CERTIFICATE-
-Original Message-
From: Rene Hollan
Sent: Thursday, March 12, 2009 3:01 PM
To: 'openssl-users@openssl.org'
Subject: Can&#
20 matches
Mail list logo
