These may be of use to you, you may have
seen them, but I solved most of my problems with these howtos.
http://www.openldap.org/faq/data/cache/185.html
http://web.singnet.com.sg/~garyttt/
Victor
From: owner-openssl-users@openssl.org [mailto:owner-openssl-users@openssl.org] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, December 09, 2005
11:44 AM
To: openssl-users@openssl.org
Subject: Re: TLSv1 - Certificate
Chain
Thanks Victor,
But I am able to veify the certs using following command
clientChain.pem has ServiceProviderCA and ClientCert (in that order)
serverChain.pem has ServiceProviderCA and ServerCert (in that order)
C:\OpenSSL\bin>openssl verify -CApath \certs clientChain.pem
c:\certs\clientChain.pem: OK
C:\OpenSSL\bin>openssl verify -CApath \certs serverChain.pem
c:\certs\serverChain.pem: OK
In addition I used default server.pem as input to run both client and server
side, even that seems to fail.
C:\OpenSSL\bin>openssl s_server -Verify yes -tls1 -cert server.pem
C:\OpenSSL\bin>openssl s_client -tls1 -cipher AES128-SHA -cert server.pem
Server logs
depth=0 /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit)
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit)
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit)
verify error:num=21:unable to verify the first certificate
verify return:1
Client logs
depth=0 /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit)
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit)
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit)
verify error:num=21:unable to verify the first certificate
verify return:1
I am using (OpenSSL 0.9.8a 11 Oct 2005)
------------ server.pem -------------
issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA
(1024 bit)
subject= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit)
-----BEGIN CERTIFICATE-----
MIIB6TCCAVICAQYwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV
BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD
VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNMDAxMDE2MjIzMTAzWhcNMDMwMTE0
MjIzMTAzWjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG
A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGlNlcnZlciB0ZXN0IGNl
cnQgKDUxMiBiaXQpMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ+zw4Qnlf8SMVIP
Fe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVDTGiXav6ooKXfX3j/7tdkuD8Ey2//
Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQCT0grFQeZaqYb5EYfk20XixZV4
GmyAbXMftG1Eo7qGiMhYzRwGNWxEYojf5PZkYZXvSqZ/ZXHXa4g59jK/rJNnaVGM
k+xIX8mxQvlV0n5O9PIha5BX5teZnkHKgL8aKKLKW1BK7YTngsfSzzaeame5iKfz
itAE+OjGF+PFKbwX8Q==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIBPAIBAAJBAJ+zw4Qnlf8SMVIPFe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVD
TGiXav6ooKXfX3j/7tdkuD8Ey2//Kv7+ue0CAwEAAQJAN6W31vDEP2DjdqhzCDDu
OA4NACqoiFqyblo7yc2tM4h4xMbC3Yx5UKMN9ZkCtX0gzrz6DyF47bdKcWBzNWCj
gQIhANEoojVt7hq+SQ6MCN6FTAysGgQf56Q3TYoJMoWvdiXVAiEAw3e3rc+VJpOz
rHuDo6bgpjUAAXM+v3fcpsfZSNO6V7kCIQCtbVjanpUwvZkMI9by02oUk9taki3b
PzPfAfNPYAbCJQIhAJXNQDWyqwn/lGmR11cqY2y9nZ1+5w3yHGatLrcDnQHxAiEA
vnlEGo8K85u+KwIOimM48ZG8oTk7iFdkqLJR1utT3aU=
-----END RSA PRIVATE KEY-----
issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit)
subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA
(1024 bit)
-----BEGIN CERTIFICATE-----
MIICJjCCAY8CAQAwDQYJKoZIhvcNAQEEBQAwXDELMAkGA1UEBhMCQVUxEzARBgNV
BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYD
VQQDExNUZXN0IFBDQSAoMTAyNCBiaXQpMB4XDTk3MDYwOTEzNTc0M1oXDTAxMDYw
OTEzNTc0M1owWzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY
BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYDVQQDExJUZXN0IENBICgxMDI0
IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKO7o8t116VP6cgybTsZ
DCZhr95nYlZuya3aCi1IKoztqwWnjbmDFIriOqGFPrZQ+moMETC9D59iRW/dFXSv
1F65ka/XY2hLh9exCCo7XuUcDs53Qp3bI3AmMqHjgzE8oO3ajyJAzJkTTOUecQU2
mw/gI4tMM0LqWMQS7luTy4+xAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAM7achv3v
hLQJcv/65eGEpBXM40ZDVoFQFFJWaY5p883HTqLB1x4FdzsXHH0QKBTcKpWwqyu4
YDm3fb8oDugw72bCzfyZK/zVZPR/hVlqI/fvU109Qoc+7oPvIXWky71HfcK6ZBCA
q30KIqGM/uoM60INq97qjDmCJapagcNBGQs=
-----END CERTIFICATE-----
issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit)
subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit)
-----BEGIN CERTIFICATE-----
MIICJzCCAZACAQAwDQYJKoZIhvcNAQEEBQAwXDELMAkGA1UEBhMCQVUxEzARBgNV
BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYD
VQQDExNUZXN0IFBDQSAoMTAyNCBiaXQpMB4XDTk3MDYwOTEzNTczN1oXDTAxMDYw
OTEzNTczN1owXDELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY
BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYDVQQDExNUZXN0IFBDQSAoMTAy
NCBiaXQpMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdoWk/3+WcMlfjIrkg
40ketmnQaEogQe1LLcuOJV6rKfUSAsPgwgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp
22Jp85PmemiDzyUIStwk72qhp1imbANZvlmlCFKiQrjUyuDfu4TABmn+kkt3vR1Y
BEOGt+IFye1UBVSATVdRJ2UVhwIDAQABMA0GCSqGSIb3DQEBBAUAA4GBABNA1u/S
Cg/LJZWb7GliiKJsvuhxlE4E5JxQF2zMub/CSNbF97//tYSyj96sxeFQxZXbcjm9
xt6mr/xNLA4szNQMJ4P+L7b5e/jC5DSqlwS+CUYJgaFs/SP+qJoCSu1bR3IM9XWO
cRBpDmcBbYLkSyB92WURvsZ1LtjEcn+cdQVI
-----END CERTIFICATE-----
------------ server.pem -------------
thanks
chinmaya
On 12/9/05, Chevalier, Victor T. <[EMAIL PROTECTED]>
wrote:
You may have created the certificates improperly. I had
the same problem last year. You may want to post this on openldap and not
openssl though.
Good Luck,
Victor
Hi,
I am using to OpenSSL as TLS client and server. I am using certificate chain of
size 3 on both sides.
On Server Side
RootCA (root.pem)
ServiceProviderCA ( spca.pem)
ServerCert (server.pem)
On Client Side
RootCA (root.pem)
ServiceProviderCA (spca.pem)
ClientCert (client.pem)
I have placed the certs and the hash files ($hash.0) of all certs in c:\certs
I am running server as
C:\OpenSSL\bin>openssl s_server -Verify yes -cert \certs\server.pem -key
\certs\server.key -CApath \certs -CAfile \certs\root.pem -tls1
[also tried without -CAfile option i.e. just with -CApath]
and client as
C:\OpenSSL\bin>openssl s_client -cipher AES128-SHA -cert \certs\client.pem
-key \certs\client.key -CApath \certs -CAfile \certs\root.pem -tls1
[also tried without -CAfile option i.e. just with -CApath]
When above commands are executed, TLS connections gets established, however. I
get some certificate verification errors (both on server and client sides)
on server side (opensslClient is CN in ClientCert)
depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslClient
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslClient
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslClient
verify error:num=21:unable to verify the first certificate
verify return:1
on client side (opensslServer is CN in ServerCert)
depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslServer
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslServer
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslServer
verify error:num=21:unable to verify the first certificate
verify return:1
However, everying works fine if I
have my ServerCert, and ClientCert signed directly by RootCA.
i.e. on server side: RootCA and ServerCert and on client side RootCA and
ClientCert.
Shouldn't it work with an intermediate certificate (ServericeProviderCA) or am
I missing any configuration.
Any input is greatly appreciated
--
thanks in advance
chinmaya
|
- RE: TLSv1 - Certificate Chain Chevalier, Victor T.
-
