Hi
Thanks for the info! I tried that but I got a key values mismatch error.
I used the following command to generate the 2 levels of CA and a server
certificate
# self signed certifcate for root CA
% openssl genrsa -des3 -rand /export/home/pli/.cshrc -out ca1.key 1024
% openssl req -new -key /export/home/pli/cert/ca1.key -out ca1.csr
% openssl x509 -req -in ca1.csr -signkey ca1.key -out ca1.crt
# intermediate CA signed by the root CA
% openssl genrsa -des3 -rand /export/home/pli/.cshrc -out ca2.key 1024
% openssl req -new -key /export/home/pli/cert/ca2.key -out ca2.csr
% openssl x509 -req -in ca2.csr -signkey ca1.key -out ca2.crt
# server certificate signed by the intermediate CA
% openssl genrsa -des3 -rand /export/home/pli/.cshrc -out ca3.key 1024
% openssl req -new -key /export/home/pli/cert/ca3.key -out ca3.csr
% openssl x509 -req -in ca3.csr -signkey ca2.key -out ca3.crt
# then I copy the ca1.csr and ca2.csr to the directory pointed by the
# CApath and renamed them with .pem suffix and ran "c_rehash ."
# I checked there are hash softlinks created for the pem files.
# but I got error about mismatch key values when running the s_server
# I typed in the passphrase that I used when creating the server certificate
ca3.crt
%openssl s_server -accept 1111 -verify 3 \
-cert ca3.crt \
-key ca3.key -state \
-CApath /export/home/pli/cert/hash -WWW
%verify depth is 3
Using default temp DH parameters
Enter PEM pass phrase:
unable to get private key from 'ca3.key'
895:error:0B080074:x509 certificate routines:X509_check_private_key:key
values mismatch:x509_cmp.c:285:
Did I perform some steps incorrectly?
Thanks
Patrick
>On Tue, Mar 20, 2001 at 11:27:23AM -0800, Patrick Li wrote:
>> I want to run "openssl s_server" to simulate the server sending out the
>> server certificate chain. I have created a root CA and used it to signed
>> another certifcate (CA), which in turn used to sign another certificate.
>> Now I have 3 certificates (including the root CA self-signed
certificate).
>> How do I make the s_server to read the certificate chain?
>
>This is achieved with the SSL_CTX_use_certificate_chain_file() or
>SSL_CTX_add_extra_chain_cert() functions, none of which is used in
>s_server. Therefore you have to resort to the third solution:
>in order to build the certificate chain, an OpenSSL server will also
>look into the trusted CA storage. Therefore if you add the root and
>intermediate CAs with -CAfile or -CApath to s_server, the complete
>chain will be sent out.
>
>Best regards,
>Lutz
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
