Hello. I am currently reading John Viega et al. (The Oreilly book) on the chapter that focuses of the on the creation of certificates. Basically, in the server2 / client2 example, the client won't accept the server's certificate. I hope that this will not be too "Oreilly specific", but if you have this example handy on you desk, it might help you help me on the subject. But I send pages and pages of certs and code for all to check, I would like to know a few things about creating PEM files and checking them indenpendently.
1) Does a PEM have an order ? Does the certificate come before the key or after ? Does a CA's certificate come before / after the issuer's cert ? In the example, PEM's are always cat'ted starting with a the issuer certs, then his private key, the CA's cert. like so. cat clientcert.pem clientkey.pem rootcert.pem > client.pem 2) How can I check if root.pem is the signer of client.pem. It this the right way ? % openssl verify -CAfile rootcert.pem client.pem % client.pem: OK Can I expect that this will be valid with any other PEM signed with the root CA ? 3) The book also starts with a pretty strict example using SSL_CTX_verify_locations which I believe is the source of all my problems so far (and the message returned by openssl is pretty cryptic). So all the questions below are based on this function. Since I'm not in a production box, with no FQDN, how should I set up my commonName and dNSName in my openssl.cnf to make it work ? - Should I sign with 'localhost' on all my certs if I run both client and server on my box ? - What about a on a LAN, will an IP address do, signing the server cert with 192.168.0.3 and the client cert with 192.168.0.5 ? or must I set up bogus names in my /etc/hosts file ? - Even if the root CA is outside of my network, will the client trust the cert sent by the server even if I can't access the root CA's site as long as I have the root's cert on the client side ? Thanks for reading this. Hope it wasn't a pain. Regards. Marc St-Jacques