On Tuesday 26 Apr 2011 19:35:48 Mounir IDRASSI wrote:
> Hi James,
>
> I got the the correct certificate chain from my Windows 7 box. Microsoft
> tends to update its trusted CA certificates store more quickly and
> regularly than Mozilla or Linux distros: the latest update was last
> month on March
>
>
> I got the the correct certificate chain from my Windows 7 box. Microsoft
> tends to update its trusted CA certificates store more quickly and regularly
> than Mozilla or Linux distros: the latest update was last month on March
> 23rd 2011.
> It is sad that even Network Solutions guys are not
Hi James,
I got the the correct certificate chain from my Windows 7 box. Microsoft
tends to update its trusted CA certificates store more quickly and
regularly than Mozilla or Linux distros: the latest update was last
month on March 23rd 2011.
It is sad that even Network Solutions guys are not
>
>
> You've got the wrong chain file. I understand that NetSol switched to a
> new
> EV Issuing CA a few months ago. Are you definitely using the chain file
> that
> they supplied with your latest site cert?
>
I am using the chain file that they suggest downloading which already has
the interme
On Tuesday 26 Apr 2011 13:29:00 James Chase wrote:
> Someone suggested it would be helpful to post the chain file and the site's
> public certificate to the list. If it is helpful, here is the site cert
> (and below that their supplied chain file)
>
> -BEGIN CERTIFICATE-
> -END CERTIF
Hi,
Your SSL certificate has an Authority Key Identifier extension which has
a value of "8a 35 e4 35 3a bc 11 a1 9e fb f5 4f 34 66 d5 4b ac 4c 62
68". This indicates that it has NOT been issued by the "Network
Solutions EV Server CA" certificate that is present in the chain file
you posted: t
Someone suggested it would be helpful to post the chain file and the site's
public certificate to the list. If it is helpful, here is the site cert (and
below that their supplied chain file)
-BEGIN CERTIFICATE-
MIIF+TCCBOGgAwIBAgIRAOQNdqGKinmztM0sRh0SkkowDQYJKoZIhvcNAQEFBQAw
WTELMAkGA1UEBh
Well my results are quite different, and I guess point to my p12 not being
correctly created. Strangely, the p12 I am running this test on works in
production and doesn't produce a warning (I re-created last years
certificate as a new p12 using the same process I am trying with this
years).
I also
On Monday 25 Apr 2011 20:07:03 James Chase wrote:
> I simplified the issue a bit in order to try and understand what is going
> on here and found that the SSL certificate that Network Solutions is
> providing, along with the intermediate chain file cannot be verified by
> newer installs of Firefox.
>
>
> openssl verify -CAfile chain.crt my.cert.crt
>
> IF you have installed some 'common' or 'standard' CAs in your
> system's default truststore -- or if you're using a packaged
> build that does so for you -- turn that off to make sure it
> doesn't silently 'fill in' certs for you, something li
> From: owner-openssl-us...@openssl.org On Behalf Of James Chase
> Sent: Monday, 25 April, 2011 11:02
> I did run the verification, and didn't have an issue there.
> Still am not able to figure out how to correctly create this
> as the only way the p12 compiles is by dropping t
I simplified the issue a bit in order to try and understand what is going on
here and found that the SSL certificate that Network Solutions is providing,
along with the intermediate chain file cannot be verified by newer installs
of Firefox. It doesn't have anything to do with the p12 file I am cre
I did run the verification, and didn't have an issue there. Still am not
able to figure out how to correctly create this as the only way the p12
compiles is by dropping the "-chain" command but that creates ssl
verifications warnings in Firefox web browsers.
openssl req -verify -in www.example.com
I am using the same system -- I have tried with last years chain file as
well. The only thing that would be different to my knowledge are possibly
the version of openssl and the renewed crt file if it possibly requires new
CA's (I did use their most current certificates before I tried using my old
On 04/21/2011 06:51 PM, James Chase wrote:
I have done this multiple years in a row with the exact same process
but now I get the following error when I try to create my SSL:
openssl pkcs12 -export -chain -CAfile cachain.crt -out
my.domain.com.p12 -inkey my.domain.com.key -in MY.DOMAIN.COM.crt
Hi James,
Can you try openssl verify command?
If this fails, then there must be wrong with your setup
- re
On Sat, Apr 23, 2011 at 8:45 PM, James Chase wrote:
>
> I have done this multiple years in a row with the exact same process but
>> now I get the following error when I try to create my S
On Sat April 23 2011, James Chase wrote:
> > I have done this multiple years in a row with the exact same process but
> > now I get the following error when I try to create my SSL:
> >
Has worked for years and now it fails? OK, what changed?
From: http://www.openssl.org/docs/apps/pkcs12.html
-ch
> I have done this multiple years in a row with the exact same process but
> now I get the following error when I try to create my SSL:
>
> openssl pkcs12 -export -chain -CAfile cachain.crt -out my.domain.com.p12
> -inkey my.domain.com.key -in MY.DOMAIN.COM.crt
> Error unable to get local issuer ce
I have done this multiple years in a row with the exact same process but now
I get the following error when I try to create my SSL:
openssl pkcs12 -export -chain -CAfile cachain.crt -out my.domain.com.p12
-inkey my.domain.com.key -in MY.DOMAIN.COM.crt
Error unable to get local issuer certificate g
19 matches
Mail list logo
