Hi I would suggest you to garb some documentation of openssl commands. Thats enough for your problem.
Well, you can get certificate get imported to your firefox using following commands. 1) openssl s_client -connect www.google.co.in:443 -showcerts here copy text between last -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- save it to file say cert.ansi 2) openssl asn1parse -in cert.ansi -out cert.der here you will get FX importable certificate cert.der as mentioned earlier if server (MAN in Middle) is forcing TLS1.1/ use can add check (-ssl3) in first command. 3) import cert.der to your fx in trusted root authorities - Thanks, Saurabh Pandya On Tue, Jun 18, 2013 at 4:39 PM, Carl Young <carlyo...@keycomm.co.uk> wrote: > > Sorry for top-post - webmail :( > > In TLS, the server should not send the root certificate - it sends the > chain up to, but not including, the root certificate. > > From (sorry) > http://technet.microsoft.com/en-us/library/cc783349(v=ws.10).aspx > > Server Certificate Message > The server sends its certificate to the client. The server certificate > contains the server’s public key. The client uses this key to authenticate > the server and to encrypt the Premaster Secret. The Server Certificate > message includes: > The server’s certificate list. The first certificate in the list is the > server’s X.509v3 certificate that contains the server’s public key. > > Other validating certificates. All other validating certificates, up to > but not including the root certificate from the CA, signed by the CA. > > > Carl > > > From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] > on behalf of Cristian Thiago Moecke [cont...@cristiantm.com.br] > > Sent: 18 June 2013 11:43 > > To: openssl-users@openssl.org > > Subject: Re: Is it possible to grab CA certificate? > > > > > > > > > > If the only certificate that is shown is the server certificate, the > server is not providing the certificate chain, only the server certificate. > This way, you wont be able to get the CA certificate from the SSL > connection. Maybe your network > admins want to fix that too. > > > > > > What is strange is that exceptions are not working as expected. Is there > any chance that the certificate is changing from time to time? > > > > > > I really think you will need to discuss what is happening with the server > admins. > > > > > > > > > > > > > > > > > > On Tue, Jun 18, 2013 at 3:07 AM, A A <wemp...@gmail.com> wrote: > > > When I go to SSL site I see this message in fx: > > > > "You have asked Firefox to connect securely to > news.ycombinator.com, > > but we can't confirm that your connection is secure. > > > > Normally, when you try to connect securely, > > sites will present trusted identification to prove that you are > > going to the right place. However, this site's identity can't be verified. > > What Should I Do? > > If you usually connect to this site without problems, this error could > > mean that someone is > > trying to impersonate the site, and you shouldn't continue. > > > > news.ycombinator.com uses an invalid security certificate. > > > > The certificate is not trusted because no issuer chain was provided. > > > > (Error code: sec_error_unknown_issuer)" > > > > And then I go to Add exception -> View -> Details tab -> Certificate > > hierarchy but there is only > news.ycombinator.com present. When I > > export it and try to import it into fx I get: > > > > "This is not a certificate authority certificate, so it can't be > > imported into the certificate authority list." > > > > So I think this is not CA certificate but a server certificate. > > > > And about recurring errors on the same site: I have a number of server > > exceptions in "Servers" list under my company custom CA certificate in > > Advanced -> View Certificates -> Servers. All of them are marked > > "Permanent". Nevertheless, the error page I described above appears > > from time to time even on sites that I have previously added to a > > trusted list. It's extremely annoying and I don't know why this > > happens. I use Firefox 21. > > > > > ______________________________________________________________________ > > OpenSSL Project > http://www.openssl.org > > User Support Mailing List openssl-users@openssl.org > > Automated List Manager > majord...@openssl.org > > > > > > > > > > > > > -- > > -- > > Cristian Thiago Moecke > > > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
