I will try an ASN.1 decoder tomorrow. Thanks for the suggestion! One thing I did try today was to have both servers generate their certificates using the same private key. Theoretically I would expect the two certs to then be exactly the same to the bit... I am not providing any domain or ip specific fields just so that I can do this comparison and made sure all other variable fields would be static. The only variable left should be my signing algorithm vs the one used my openssl's code. What I think I found was that the two certs were identical except for 4 bytes. There was a 0x05 and 0x00 following two fields in the open ssl generated cert. Each occurrence of these 2 bytes was following the signature algorithm identifier (in two places I think). These 4 bytes were not in the non-open ssl cert. could this be my problem? Is there a significance to the 0x05 and 0x00? They seemed to be part of the enclosing structure that contained the signature alg id but not part of the id itself. At least according to wireshark. Are they necessary padding that I'm missing in my custom cert generation?
Like I said earlier, I'll try to attach the certs tomorrow. I really appreciate everybody's help! CHAD > On Jul 7, 2014, at 5:09 PM, "Ben Wilson" <b...@digicert.com> wrote: > > You could try examining both PEM-encoded certificates using an ASN.1 > decoder, such as the one here - http://lapo.it/asn1js > > -----Original Message----- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Barbe, Charles > Sent: Sunday, July 6, 2014 8:42 PM > To: openssl-users@openssl.org > Subject: Certificate problem > > I'm having a problem with generating certificates and I'm wondering if > anybody has any suggestions on where to look. > > I have the following certificates and associated private keys: > > A - certificate A generated with one version of my software not using > openssl B - certificate B generated with a new version of my software that > does use openssl CA - a local certificate authority whose private key is > used to sign both A and B > > I can verify both A and B using openssl verify using CA as the cafile > argument. > > However, when I install CA on a client and try to connect a web browser to > my server running the two different versions of software, they complain that > they cannot find the issuer with A but not with B. > > I have examined both certificates and cannot find anything different about > them. As far as I can tell, the only difference is that B used openssl to > generate the certificate and A used our own custom software. The odd thing > to me is that openssl verify can verify both just fine. What are the web > browsers doing different? I've tried chrome, Firefox and opera and all > behave the same... Accepting B and rejecting A. > > Does anybody have any suggestions on where to look to figure this out? A > tool to use? > > I realize that actually attaching the certa might be helpful but I do not > have them handy as I write this. Please let me know if that might help > somebody help me figure this out. > > Thanks! > > Chad. ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
