RE: Server sending certiciate chain

Eric Bolinger Mon, 26 Mar 2001 17:05:05 -0800

Patrick,

I tried using your examples, but it generated three self-signed
certificates.
So I read the man page:
http://www.openssl.org/docs/apps/x509.html#SIGNING_OPTIONS
It looks like the "-signkey file" option is used only for the root CA.

Try this to sign the other CAs using the "-CA" and "-CAkey" options:

# intermediate CA signed by the root CA
% openssl genrsa -des3 -rand /export/home/pli/.cshrc -out ca2.key 1024
% openssl req -new -key /export/home/pli/cert/ca2.key -out ca2.csr
% openssl x509 -req -in ca2.csr -CA ca1.crt -CAkey ca1.key -out ca2.crt

# server certificate signed by the intermediate CA
% openssl genrsa -des3 -rand /export/home/pli/.cshrc -out ca3.key 1024
% openssl req -new -key /export/home/pli/cert/ca3.key -out ca3.csr
% openssl x509 -req -in ca3.csr -CA ca2.crt -CAkey ca2.key -out ca3.crt


I checked my results with:
% openssl x509 -in ca2.crt -text -noout
% openssl x509 -in ca3.crt -text -noout

Haven't tried the rest of your stuff.  Good luck!

- Eric B




-----Original Message-----
From: Patrick Li [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 22, 2001 10:58 PM
To: [EMAIL PROTECTED]
Subject: Re: Server sending certiciate chain


Hi

Thanks for the info!  I tried that but I got a key values mismatch error.

I used the following command to generate the 2 levels of CA and a server
certificate

# self signed certifcate for root CA
% openssl genrsa -des3 -rand /export/home/pli/.cshrc -out ca1.key 1024
% openssl req -new -key /export/home/pli/cert/ca1.key -out ca1.csr
% openssl x509 -req -in ca1.csr -signkey ca1.key -out ca1.crt

# intermediate CA signed by the root CA
% openssl genrsa -des3 -rand /export/home/pli/.cshrc -out ca2.key 1024
% openssl req -new -key /export/home/pli/cert/ca2.key -out ca2.csr
% openssl x509 -req -in ca2.csr -signkey ca1.key -out ca2.crt

# server certificate signed by the intermediate CA
% openssl genrsa -des3 -rand /export/home/pli/.cshrc -out ca3.key 1024
% openssl req -new -key /export/home/pli/cert/ca3.key -out ca3.csr
% openssl x509 -req -in ca3.csr -signkey ca2.key -out ca3.crt

# then I copy the ca1.csr and ca2.csr to the directory pointed by the
# CApath and renamed them with .pem suffix and ran "c_rehash ."
# I checked there are hash softlinks created for the pem files.

# but I got error about mismatch key values when running the s_server
# I typed in the passphrase that I used when creating the server certificate
ca3.crt

%openssl s_server -accept 1111 -verify 3 \
        -cert ca3.crt \
        -key ca3.key -state \
        -CApath /export/home/pli/cert/hash -WWW
%verify depth is 3
Using default temp DH parameters
Enter PEM pass phrase:
unable to get private key from 'ca3.key'
895:error:0B080074:x509 certificate routines:X509_check_private_key:key
values mismatch:x509_cmp.c:285:

Did I perform some steps incorrectly?

Thanks
Patrick

>On Tue, Mar 20, 2001 at 11:27:23AM -0800, Patrick Li wrote:
>> I want to run "openssl s_server" to simulate the server sending out the
>> server certificate chain.  I have created a root CA and used it to signed
>> another certifcate (CA), which in turn used to sign another certificate.
>> Now I have 3 certificates (including the root CA self-signed
certificate).
>> How do I make the s_server to read the certificate chain?
>
>This is achieved with the SSL_CTX_use_certificate_chain_file() or
>SSL_CTX_add_extra_chain_cert() functions, none of which is used in
>s_server. Therefore you have to resort to the third solution:
>in order to build the certificate chain, an OpenSSL server will also
>look into the trusted CA storage. Therefore if you add the root and
>intermediate CAs with -CAfile or -CApath to s_server, the complete
>chain will be sent out.
>
>Best regards,
>Lutz


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]





======================= Confidentiality Statement ======================= 
The information contained in this message and any attachments is 
intended only for the use of the individual or entity to which it is 
addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL 
and exempt from disclosure under applicable law.  If you have received 
this message in error, you are prohibited from copying, distributing, or 
using the information.  Please contact the sender immediately by return 
e-mail and delete the original message from your system. 
===================== End Confidentiality Statement =====================  


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
RE: Server sending certiciate chain

Reply via email to
