Re: How to setup chain of certs
Thanks Dr. Steve. -Sudhakar On 12/21/06, Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Wed, Dec 20, 2006, Sudhakar wrote: Hi, I am facing a problem with chain of certs. I have used the following commands for creating chain of certs ( servercert2.pem will have its cert signed by servercert.pem which is inturn signed by rootcert.pem): openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem openssl x509 -req -in rootreq.pem -sha1 -days 1000 -signkey rootkey.pem-out rootcert.pem openssl req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out serverreq.pem openssl x509 -req -in serverreq.pem -sha1 -days 1000 -CA rootcert.pem-CAkey rootkey.pem -CAcreateserial -out servercert.pem openssl req -newkey rsa:1024 -sha1 -keyout serverkey2.pem -out serverreq2.pem openssl x509 -req -in serverreq2.pem -sha1 -days 1000 -CA servercert.pem-CAkey serverkey.pem -CAcreateserial -out servercert2.pem cat servercert.pem servercert2.pem cat rootcert.pem servercert2.pem I assume, at the end of these commands servercert2.pem will have a chain of certs. Yes but not a valid chain of certificates. You cannot treat a server certificate as a CA certifcate because that would mean anyone could be a CA and bad things(TM) would happen. None of the above certificate signing commands include any extensions. The configuration file and extension section needs to be explicitly included on the command line. For example: -extfile /path/to/openssl.cnf -extensions section where section is v3_ca for the CAs and usr_cert for the server certificate. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to setup chain of certs
Hi can some one reply for this question? Thanks Sudhakar On 12/20/06, Sudhakar wrote: Hi, I am facing a problem with chain of certs. I have used the following commands for creating chain of certs ( servercert2.pem will have its cert signed by servercert.pem which is inturn signed by rootcert.pem ): openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem openssl x509 -req -in rootreq.pem -sha1 -days 1000 -signkey rootkey.pem-out rootcert.pem openssl req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out serverreq.pem openssl x509 -req -in serverreq.pem -sha1 -days 1000 -CA rootcert.pem-CAkey rootkey.pem -CAcreateserial -out servercert.pem openssl req -newkey rsa:1024 -sha1 -keyout serverkey2.pem -out serverreq2.pem openssl x509 -req -in serverreq2.pem -sha1 -days 1000 -CA servercert.pem-CAkey serverkey.pem -CAcreateserial -out servercert2.pem cat servercert.pem servercert2.pem cat rootcert.pem servercert2.pem I assume, at the end of these commands servercert2.pem will have a chain of certs. At the server side, I used SSL_CTX_use_certificate_chain_file for using servercert2.pem file and at the client side I used SSL_CTX_load_verify_locations for using rootcert.pem. Now I get an error during ssl handshake. The error says tlsv1 alert unknown ca:SSL alert number 48:s3_pkt.c(1052) at the server side and certificate verify failed:s3_clnt.c(844) at the client side. I am sure I did some mistake when creating the chain of cert. Can some one point out the right way. Thanks Sudhakar
How to setup chain of certs
Hi, I am facing a problem with chain of certs. I have used the following commands for creating chain of certs ( servercert2.pem will have its cert signed by servercert.pem which is inturn signed by rootcert.pem): openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem openssl x509 -req -in rootreq.pem -sha1 -days 1000 -signkey rootkey.pem -out rootcert.pem openssl req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out serverreq.pem openssl x509 -req -in serverreq.pem -sha1 -days 1000 -CA rootcert.pem -CAkey rootkey.pem -CAcreateserial -out servercert.pem openssl req -newkey rsa:1024 -sha1 -keyout serverkey2.pem -out serverreq2.pem openssl x509 -req -in serverreq2.pem -sha1 -days 1000 -CA servercert.pem-CAkey serverkey.pem -CAcreateserial -out servercert2.pem cat servercert.pem servercert2.pem cat rootcert.pem servercert2.pem I assume, at the end of these commands servercert2.pem will have a chain of certs. At the server side, I used SSL_CTX_use_certificate_chain_file for using servercert2.pem file and at the client side I used SSL_CTX_load_verify_locations for using rootcert.pem. Now I get an error during ssl handshake. The error says tlsv1 alert unknown ca:SSL alert number 48:s3_pkt.c(1052) at the server side and certificate verify failed:s3_clnt.c(844) at the client side. I am sure I did some mistake when creating the chain of cert. Can some one point out the right way. Thanks Sudhakar