Steve,
Thanks so much, this did the trick. A small thing, but had us stymied.
Appreciate your help,
Dan
-----Original Message-----
From: Dr S N Henson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 13, 2001 11:20 AM
To: [EMAIL PROTECTED]
Subject: Re: Can't -verify "Global Server ID" certs from Verisign
> "Dan Boerner (InfoSpace Inc)" wrote:
>
> Hello,
>
> I'm a new poster, so forgive me if this question has been addressed
> earlier (though I couldn't find it in archives).
>
> We have our own webserver and are trying to determine what we need to
> do to support GSIDs with OpenSSL. Our OpenSSL-based SSID support works
> fine, but the GSIDs we get from Verizon don't even read properly when
> we use openssl verify on the command line.
>
> Shouldn't we be able to verify these certs?
> We've tried breaking them into the Intermediate and Server certs and
> then using:
>
> "openssl verify -CAfile d:\intermediate.pem d:\server.pem"
>
> which we believe to be the correct cmd line. The result is shown below
>
> d:\server.pem: unable to load certificate file
> 2104:error:0D0A2007:asn1 encoding routines:d2i_X509_CINF:expecting an
> asn1 sequence:.\crypto\asn1\x_cinf.c:106:address=9568330
> offset=02104:error:0D09F004:asn1 encoding routines:d2i_X509:nested
> asn1 error:.\crypto\asn1\x_x509.c:102:address=9568328
> offset=22104:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
> lib:.\crypto\pem\pem_lib.c:290:
>
> Any help is greatly appreciated. Anticipating the request, I am
> including the two certs that make up the GSID we received from
> Verizon.
>
Thank you for including the certificates. Its amazing the number of
people give incomplete reports and say stuff like "this doesn't work" or
"I've got this certificate that doesn't work".
Anyway the server "certificate" isn't a PEM encoded certificate at all
but several certificates in a PKCS#7 wrapper. Use the command line:
openssl pkcs7 -in server.pem -print_certs -out certs.pem
you'll then get several certificates in 'certs.pem' which you can
manually extract using a text editor or whatever.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
