>> Hi, when I use ssldump to watch my server and client communication in
>> linux, >> client sent certificate to server, but server always said: bad
>> certificate.
>> Anyone know how do I make a client certificate that server will accept?
>> Thanks a lot!
Hi, thanks for everyone's help. sorry, I should have explained my question
more clearly.
Here are the steps that I followed:
1.Create My Own Certificate Authority
* Create the CA private key :
# openssl genrsa -des3 -out /usr/local/ca/ca.key 1024
* Create the CA certificate (ca.crt) and sign it with the CA's private
key (ca.key)
# openssl req -new -x509 -days 365 -key /usr/local/ca/ca.key
-out /usr/local/ca/ca.crt
2.Create an unsigned certificate :
* Create a certificate (cert.pem) and a certificate signing request or
CSR (req.pem).
# openssl req -new -nodes -out /tmp/req.pem -keyout
/usr/local/ca/cert.pem
3.Sign Your Certificate With Your CA's Key
Using your CA's priviate key (ca.key) and certificate (ca.crt) sign the CSR
(req.pem) and create a signed certificate (signed_req.pem)
# openssl x509 -req -CA /usr/local/ca/ca.crt -CAkey /usr/local/ca/ca.key
-days 365 -in /tmp/req.pem -out /tmp/signed_req.pem -CAcreateserial.
4.Then I saved cert.pem as client.key and signed_req.pem as client.crt, and
use client.key and client.crt in client.c 's
function:SSL_CTX_use_certificate_file(). My client can see and display
server 's certificate, but server complaint about client side bad
certificate.
What do I did wrong to make client certificate so the server won't accept
it? Anyone any ideas?
Thnaks for your help!
Qiming
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
