Re: Issue with certificate chain

Fri, 21 Dec 2012 06:58:51 -0800 

On 12/21/2012 1:27 PM, Deeztek.com Support wrote:

I have a weird issue when creating and importing PFX files into Windows
7 clients. I have created a CA and a sub CA and I have created client
certificates. When I  import them into Windows 7 clients (in all
fairness I have only tried windows 7), when I go to look at the
certification path, it tells me that the root CA certificate is expired
or not yet valid. Looking at the expiration date of the root CA, it
shows it to only be valid from 11/19/2012 through 12/19/2012. The sub CA
certificate and the end user certificates are fine with 5 year validity
periods. However, when I look at the root CA with openssl it shows the
following:

*#: openssl x509 -in cacert.pem -noout -text

Issuer: CN=ca3.deeztek.com/emailAddress=c...@deeztek.com
         Validity
             Not Before: Dec 20 21:00:07 2012 GMT
             Not After : Dec 19 21:00:07 2017 GMT
         Subject: CN=ca3.deeztek.com/emailAddress=c...@deeztek.com*

Obviously not expired and the dates are completely different from what
Windows is reporting. Can anyone shed some light on this. I sign the
client certificates with the sub CA using a cachain file I created from
the root and the sub ca.

Thanks


This happened to another user a few weeks ago.  Here is what worked for him:
Carefully compare the certificate serial numbers and first few bytes of certifcate signature between the "Details" tab in Windows and the output of the openssl command you just used. 

In the previous case, it turned out they were two different certificates
with similar names, and the wrong certificate had been imported into Windows in a previous attempt, preventing loading of the real certificate until the wrong one was manually deleted. 

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to