Exactly right!
"openssl s_client -CAfile demoCA/cacert -connect server.net:443"
This returns no errors.
However, I still get the following when I try to connect from Mozilla.
"The connection was refused when trying to contact 192.168.1.103"
Stupid me! I was using "http://";! It works perfectly with "https://";
Thanks for all of the help! I think I understand how to do this much better now and can get on with my work.
The only real change I made (other than to rename the files) was to change the default days in CA.pl to 3650
[ I don't want to do this again for awhile. ]
It just goes to show that stupid errors can make all the difference.
And, I see the value of CA.pl (having read it). Thanks again.
Dr. Stephen Henson wrote:
On Tue, Sep 14, 2004, Steve Ankeny wrote:
Here's the commands I used to create my own CA and my own certificate and key ....
"CA.pl -newca" "CA.pl -newreq" "CA.pl -signreq"
Everything went well (no errors), and I wound up with newcert.pem and newreq.pem (as well as cacert.pem as expected).
I renamed newcert.pem and newreq.pem to help identify them.
"mv newcert.pem server.net.pem" "mv newreq.pem server.net.key"
I copied them to the Apache directories ssl.crt and ssl.key and edited the vhost-ssl.conf file to point to the proper files.
Here's the output of "openssl s_client -connect server.net:443"
root:~ # openssl s_client -connect server.net:443
CONNECTED(00000003) depth=0 /C=US/ST=State/O=Company/CN=server.net/[EMAIL PROTECTED] verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=State/O=Company/CN=server.net/[EMAIL PROTECTED] verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=State/O=Company/CN=server.net/[EMAIL PROTECTED] verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=State/O=Company/CN=server.net/[EMAIL PROTECTED] i:/C=US/ST=State/O=Company/CN=servercert/[EMAIL PROTECTED] --- Server certificate -----BEGIN CERTIFICATE----- MIIDcjCCAtugAwIBAgIBATANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJVUzEQ MA4GA1UECBMHSW5kaWFuYTEiMCAGA1UEChMZUHlyYW1pZCBNb3J0Z2FnZSBBdWRp dGluZzEQMA4GA1UEAxMHcG1hY2VydDEkMCIGCSqGSIb3DQEJARYVc2Fua2VueUBu [redacted] 7IJxQa5W/bwcEKU+MoBlUYO1d+HDng== -----END CERTIFICATE-----
subject=/C=US/ST=State/O=Company/CN=server.net/[EMAIL PROTECTED]
issuer=/C=US/ST=State/O=Company/CN=servercert/[EMAIL PROTECTED]
---
No client certificate CA names sent
---
SSL handshake has read 1450 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: A526ACD02BA92C111FFA4E63FA293521429D1827014D2B57390FA99715ED7CDB
Session-ID-ctx:
Master-Key: 09A5F29D451372431FF71B3037A9943AA3106328D8EEA7422E88750FA4102F05F39FBB5C9906B2465D6B
Key-Arg : None
Start Time: 1095188189
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
closed
Here are the lines that bother me .....
verify error:num=20:unable to get local issuer certificate verify error:num=27:certificate not trusted verify error:num=21:unable to verify the first certificate
Is there anything wrong with how I created these?
No nothing wrong its just that's what the s_client utility does when presented with a CA it doesn't trust. If you include -CAfile cacert.pem on the command line you shouldn't get that any more.
Mozilla times out when trying to connect to the server (with or without the certificate). What am I doing wrong?
Thanks for getting me this far.
You should type in the URL https://myhostname.whatever.org/ into Mozilla.
Its not clear why you get a timeout error. Is that the exact error Mozilla comes up with? Are you connecting from the same machine you did the s_client test on? If not then its possible the route is blocked by a firewall or something like that.
Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
--
"Well, you know what my dad always said? Having dreams is what makes life tolerable!"
-- Pete, Rudy's friend
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
