* I tried with -Veify 9 option. No change in the output still fails with same error (unable to get local issuer certificate).
* However with the change in syntax of openssl verify (as you suggested), the verification is failing
server.pem - has only ServerCert does not include ServiceProvideCA
--------- snippet --------
C:\OpenSSL\bin>openssl verify -verbose -purpose sslserver -untrusted \certs\spca.pem -CApath \certs \certs\server.pem
C:\certs\ClientCert.pem: /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslClient
error 20 at 0 depth lookup:unable to get local issuer certificate
--------- snippet --------
Is there way to to know the reason behind the failure?
The certs are NOT generated using openssl. The ServiceProviderCA does not have Extended Key Usage extension, does it make a difference.
> The alternative is to include the intermediate CA in the trusted store and
> they will then be searched for and added automatically.
* I had put the $hash.0 files (incluing ServiceProviderCA) in \certs directory which is included in CApath (-CApath \certs)
thanks
chinmaya
On 12/9/05, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
On Thu, Dec 08, 2005, [EMAIL PROTECTED] wrote:
> Hi,
>
> I am using to OpenSSL as TLS client and server. I am using certificate chain
> of size 3 on both sides.
>
> On Server Side
> RootCA (root.pem)
> ServiceProviderCA (spca.pem)
> ServerCert (server.pem)
>
> On Client Side
> RootCA (root.pem)
> ServiceProviderCA (spca.pem)
> ClientCert (client.pem)
>
>
> I have placed the certs and the hash files ($hash.0) of all certs in
> c:\certs
>
> I am running server as
> C:\OpenSSL\bin>openssl s_server -Verify yes -cert \certs\server.pem -key
> \certs\server.key -CApath \certs -CAfile \certs\root.pem -tls1
> [also tried without -CAfile option i.e. just with -CApath]
>
> and client as
> C:\OpenSSL\bin>openssl s_client -cipher AES128-SHA -cert \certs\client.pem
> -key \certs\client.key -CApath \certs -CAfile \certs\root.pem -tls1
> [also tried without -CAfile option i.e. just with -CApath]
>
> When above commands are executed, TLS connections gets established, however.
> I get some certificate verification errors (both on server and client sides)
>
> on server side (opensslClient is CN in ClientCert)
> depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslClient
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslClient
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslClient
> verify error:num=21:unable to verify the first certificate
> verify return:1
>
> on client side (opensslServer is CN in ServerCert)
> depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslServer
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslServer
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslServer
> verify error:num=21:unable to verify the first certificate
> verify return:1
>
>
> However, everying works fine if I have my ServerCert, and ClientCert signed
> directly by RootCA.
> i.e. on server side: RootCA and ServerCert and on client side RootCA and
> ClientCert.
>
> Shouldn't it work with an intermediate certificate (ServericeProviderCA) or
> am I missing any configuration.
> Any input is greatly appreciated
The server and client need to include the intermediate CA(s)
(ServiceProviderCA) in the chain they send to the peer.
This is normally done by an "additional certificates" option but s_client and
s_server don't have those at present.
The alternative is to include the intermediate CA in the trusted store and
they will then be searched for and added automatically.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
