RE: Cert chain verification failures

2011-03-31 Thread Dave Thompson
> From: owner-openssl-us...@openssl.org On Behalf Of David Coulson > Sent: Wednesday, 30 March, 2011 10:24 > On 3/30/11 8:33 AM, Crypto Sal wrote: > > David: > > > > Firefox caches that information, so that it can use them > later if you > > view a similar certificate hierarchy. > > > > If you v

Re: Cert chain verification failures

2011-03-30 Thread David Coulson
On 3/30/11 8:33 AM, Crypto Sal wrote: David: Firefox caches that information, so that it can use them later if you view a similar certificate hierarchy. If you view the Firefox Certificate Manager you should see "Software Security Device" vs. that of "Built in Object" next to each of the

Re: Cert chain verification failures

2011-03-30 Thread Crypto Sal
On 03/29/2011 01:16 PM, David Coulson wrote: On 3/29/11 12:58 PM, Bruce Stephens wrote: Add the -showcerts option to the s_client commands and you'll see the first server returns a chain of certificates where the second offers only the end server certificate. Okay, I see that - Makes sense. When

Re: Cert chain verification failures

2011-03-29 Thread Bruce Stephens
David Coulson writes: > On 3/29/11 12:58 PM, Bruce Stephens wrote: >> Add the -showcerts option to the s_client commands and you'll see the >> first server returns a chain of certificates where the second offers >> only the end server certificate. > Okay, I see that - Makes sense. When I hit the

Re: Cert chain verification failures

2011-03-29 Thread David Coulson
On 3/29/11 12:58 PM, Bruce Stephens wrote: Add the -showcerts option to the s_client commands and you'll see the first server returns a chain of certificates where the second offers only the end server certificate. Okay, I see that - Makes sense. When I hit the hostname w/ Firefox I'm able to se

Re: Cert chain verification failures

2011-03-29 Thread Bruce Stephens
David Coulson writes: [...] > OpenSSL has other ideas. First one validates fine, second one does > not. I can't for the life of me figure out what the difference is. > > Any ideas? Add the -showcerts option to the s_client commands and you'll see the first server returns a chain of certificates

Cert chain verification failures

2011-03-29 Thread David Coulson
Probably missing something simple, but I'm having a tough time validating the CA chain for a certificate. There is a second certificate, seemingly signed by the same CA which does validate. I'm not sure how useful this tool is, but it seems to indicate both certs were signed by the same CA.