On 7/2/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
On Sun, Jul 02, 2006, snacktime wrote:
> Oops, you will also need this cert in the ca chain. The client cert
> that does verify was issued by this cert, which was issued by the
> root. The one I gave you that does not verify was issued by the root
> ca directly.
>
>
That's your problem then. OpenSSL needs to find the intermediate CA. This can
be either sent by the other party or explicitly on the command line.
So in the example with "openssl verify" you can include:
-untrusted intca.pem
and it should work. Similarly if you have a webserver the SSL client (e.g
firefox) needs to be able to see the intermediate CA. You do this by either
including the CA in you list of trusted CAs or specify it manually as an
"additional certificate".
The certificate I sent that doesn't verify doesn't need the
intermediate cert, it was issued by the root cert. The other client
certificate that does verify was signed by the intermediate.
It's not simply a matter of trying to verify against the wrong ca, or
not having them in the browser, it's something else.
One strange thing with firefox. The certificate that does not verify
will show up in firefox under 'My Certificates' under the correct CA.
But when you view it, it say's the issuer is unknown and in the
hierarchy it just shows itself. In IE everything is fine. Also,
when I create a new CA with my software, the certs I sign with it
verify ok. It's only certs signed by the ca I created a couple of
years ago that won't verify. So, there is something in the new certs
I am creating that isn't compatible with the old ca certs.
At this point, since all we issue the certificates for is client
authentication, it's not a big deal to just use a new ca to issue all
future certs. I'd still like to understand what I'm doing wrong
though. Just when I thought I understood it all, something doesn't
work as expected:)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
