Re: problem with verifying certificates

Richard Levitte - VMS Whacker Thu, 03 May 2001 13:51:39 -0700
From: Chris Drumgoole <[EMAIL PROTECTED]>

You have misunderstood how verification is done.  What you need to
tell s_server is what issuers you trust by pointing out a store with
their certificates (a PEM file).  So, you need to get the certificate
for "OU=Secure Server Certification Authority, O=RSA Data Security, Inc., C=US",
put it in PEM format in a file (say foo.pem) and tell s_server about
that file (-CAfile foo.pem).

cdrum> here is an example output from
cdrum> bin/openssl s_client -host rsaonline.rsasecurity.com -port 443 -showcerts
cdrum> (I picked rsaonline.... because I would think they would have a valid cert
cdrum> ;-)
cdrum> 
cdrum> output:
cdrum> 
cdrum> 
cdrum> 
cdrum> CONNECTED(00000004)
cdrum> depth=0 /C=US/ST=Massachusetts/L=Bedford/O=RSA Security 
cdrum> Inc./OU=RSAS-WEB-01/OU=Terms of use at www.verisign.com/rpa 
(c)00/CN=rsaonline.rsasecurity.com
cdrum> verify error:num=20:unable to get local issuer certificate
cdrum> verify return:1
cdrum> depth=0 /C=US/ST=Massachusetts/L=Bedford/O=RSA Security
cdrum> Inc./OU=RSAS-WEB-01/OU=Terms of use at www.verisign.com/rpa 
(c)00/CN=rsaonline.rsasecurity.com
cdrum> verify error:num=27:certificate not trusted
cdrum> verify return:1
cdrum> depth=0 /C=US/ST=Massachusetts/L=Bedford/O=RSA Security
cdrum> Inc./OU=RSAS-WEB-01/OU=Terms of use at www.verisign.com/rpa 
(c)00/CN=rsaonline.rsasecurity.com
cdrum> verify error:num=21:unable to verify the first certificate
cdrum> verify return:1
cdrum> ---
cdrum> Certificate chain
cdrum>  0 s:/C=US/ST=Massachusetts/L=Bedford/O=RSA Security
cdrum> Inc./OU=RSAS-WEB-01/OU=Terms  of use at www.verisign.com/rpa 
(c)00/CN=rsaonline.rsasecurity.com
cdrum>    i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification
cdrum> Authority

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur@Stacken   \      SWEDEN       \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis                -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
Re: problem with verifying certificates

Reply via email to
