Client certificate chain along with the Intermediate CA certificates is attached. This chain certificate is converted to x509 standard ,PEM format and then sent to server.
Patrick Patterson-3 wrote: > > Hello Prathima: > > On March 24, 2009 10:40:47 am prathima wrote: >> Hi Kyle, >> >> CA certificate chain is parsed properly. I also tried using only >> RootCA(excluding intermediate CA's). Even with this I am getting the same >> error. >> Could you please explain this: >> client.crt also needs to have extendedKeyUsage of >> "clientAuthentication" and keyUsage of "encipherment" and "key >> negotiation" >> > A couple of things to take a look at: > > 1: Do all of the CA Certificates have the extension "Basic Constraints: > CA:True"? > > 2: Do the Issuer/Subject fields of the CA certificates chain correctly? > > 3: Do the AKI/SKI fields of the CA certificates chain correctly? > > What happens when you do: > > openssl verify -CAFile cachain.crt -verbose client-cert.pem? > > Can you post the cachain.crt file? > > Have fun. > > -- > Patrick Patterson > President and Chief PKI Architect, > Carillon Information Security Inc. > http://www.carillon.ca > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > http://www.nabble.com/file/p22779046/clientm_3.p7b clientm_3.p7b -- View this message in context: http://www.nabble.com/Apache-server-says-unknown-ca-when-clientcertificate-chain-is-sent-to-server-tp22675508p22779046.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
