I did run the verification, and didn't have an issue there. Still am not able to figure out how to correctly create this as the only way the p12 compiles is by dropping the "-chain" command but that creates ssl verifications warnings in Firefox web browsers.
openssl req -verify -in www.example.com.csr -key www.example.com.key verify OK -----BEGIN CERTIFICATE REQUEST----- CERTIFICATE DATA HERE -----END CERTIFICATE REQUEST----- On Sat, Apr 23, 2011 at 4:41 PM, James Chase <chase1...@gmail.com> wrote: > I am using the same system -- I have tried with last years chain file as > well. The only thing that would be different to my knowledge are possibly > the version of openssl and the renewed crt file if it possibly requires new > CA's (I did use their most current certificates before I tried using my old > cafile). > > openssl verify never returns, I'm not sure what the syntax I am shooting > for there is. > > When i try without using the "-chain" command then it compiles the p12 and > it does seem to load in Chrome and IE ,but in FF3 I get: > > secure.example.com uses an invalid security certificate. > > The certificate is not trusted because the issuer certificate is unknown. > > (Error code: sec_error_unknown_issuer) > > And in FF4 I get: > > store.innertraditions.com uses an invalid security certificate. > > The certificate is not trusted because no issuer chain was provided. > > (Error code: sec_error_unknown_issuer) > > > I have always used the -chain and -CAfile options together when creating > p12's. > > On Sat, Apr 23, 2011 at 12:32 PM, Crypto Sal <crypto....@gmail.com> wrote: > >> On 04/21/2011 06:51 PM, James Chase wrote: >> >> I have done this multiple years in a row with the exact same process but >> now I get the following error when I try to create my SSL: >> >> openssl pkcs12 -export -chain -CAfile cachain.crt -out my.domain.com.p12 >> -inkey my.domain.com.key -in MY.DOMAIN.COM.crt >> Error unable to get local issuer certificate getting chain. >> >> I concatenated all the intermediate files in the order they suggest, and >> according to the process I have documented that has worked the past few >> years. I also downloaded the pre-built chain file where they already >> concatenated the needed files together but I get the same error. I also >> tried the same chain file I used last year -- same results. Googling is not >> helping me understand this error. Anyone know what could be going on here >> with the EV SSL creation for Network Solutions? >> >> >> -- >> "Beware of all enterprises that require new clothes." >> -- Henry David Thoreau >> >> >> >> James, >> >> You don't need to include the -chain' option since you are providing the >> chain with the '-CAfile' option. '-chain' is if you want OpenSSL to build >> the chain for you. >> >> --Crypto.Sal >> > > > > -- > "Beware of all enterprises that require new clothes." > -- Henry David Thoreau > -- "Beware of all enterprises that require new clothes." -- Henry David Thoreau
