Re: Newbie Needs Help!!!
Hello, > When I do that, I now get: > > RAPTOR_$ openssl s_client -connect adtest:636 "-CAfile" certnew.pem > CONNECTED(0003) > depth=0 /CN=adtest.altdomain2000.psccos.com > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 /CN=adtest.altdomain2000.psccos.com > verify error:num=27:certificate not trusted > verify return:1 > depth=0 /CN=adtest.altdomain2000.psccos.com > verify error:num=21:unable to verify the first certificate > verify return:1 > --- > Certificate chain > 0 s:/CN=adtest.altdomain2000.psccos.com > i:/C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca Get server certificate (lets say server_cert.pem) and execute: $ openssl verify -CAfile certnew.pem server_cert.pem if this will return success, s_client will verify successfully this server cert too. Next information, certnew.pem should have CA cert from: C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie Needs Help!!!
When I do that, I now get: RAPTOR_$ openssl s_client -connect adtest:636 "-CAfile" certnew.pem CONNECTED(0003) depth=0 /CN=adtest.altdomain2000.psccos.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /CN=adtest.altdomain2000.psccos.com verify error:num=27:certificate not trusted verify return:1 depth=0 /CN=adtest.altdomain2000.psccos.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=adtest.altdomain2000.psccos.com i:/C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca --- Server certificate subject=/CN=adtest.altdomain2000.psccos.com issuer=/C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca --- Acceptable client certificate CA names --- SSL handshake has read 3950 bytes and written 342 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: RC4-MD5 Session-ID: AF0AC37F50DE8F069E626AF23D763831B871E78B7AD0886FB042B6731262 Session-ID-ctx: Master-Key: BB25F868F436649E68039E54D6F712E3AFDB6E523DA3A0FB0E16A9470F9D3CCE 0379BC95A59325993587E6DC2680224B Key-Arg : None Start Time: 1159402472 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- bad select 38 I obviously have the wrong certificates, but I have no idea (as should also be obvious) what certificates I really do need. The file I used as input to the -CAfile switch is the "CA Certification Path" as downloaded from the Windows box that runs the CA, and that I converted to PEM format. There's something not kosher about that certificate, but darned if I have any idea what. Any more suggestions? At 03:39 PM 9/27/2006, Richard Levitte - VMS Whacker wrote: Hi Dan, In message <[EMAIL PROTECTED]> on Mon, 25 Sep 2006 09:50:32 -0600, Dan O'Reilly <[EMAIL PROTECTED]> said: dano> My CA is another system (Windows) and I requested it to create dano> the trusted root certificate in PKCS7 format, which I copied to dano> my VMS system. I can use OPENSSL PKCS7 to view the package dano> contents, and it contains a single certificate. I then tried to dano> do an OPENSSL VERIFY on that package, and it keeps coming up dano> with "NO START LINE" and "EXPECTING: TRUSTED CERTIFICATE" dano> errors. Finally, I tried "openssl s_clienit -connect dano> :636 -certfore der -CAfile dano> and it comes up with the following: You need to extract the certificate from that PKCS#7 package and use the resulting file. Since OPENSSL PKCS7 will give you the certificate in PEM format, the best you can probably do is save that in a .PEM file, and then use it as follows: openssl s_client -connect :636 -CAfile .PEM Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- +---++ | Dan O'Reilly | "There are 10 types of people in this | | Principal Engineer| world: those who understand binary | | Process Software | and those who don't."| | http://www.process.com|| +---++ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie Needs Help!!!
Hi Dan, In message <[EMAIL PROTECTED]> on Mon, 25 Sep 2006 09:50:32 -0600, Dan O'Reilly <[EMAIL PROTECTED]> said: dano> My CA is another system (Windows) and I requested it to create dano> the trusted root certificate in PKCS7 format, which I copied to dano> my VMS system. I can use OPENSSL PKCS7 to view the package dano> contents, and it contains a single certificate. I then tried to dano> do an OPENSSL VERIFY on that package, and it keeps coming up dano> with "NO START LINE" and "EXPECTING: TRUSTED CERTIFICATE" dano> errors. Finally, I tried "openssl s_clienit -connect dano> :636 -certfore der -CAfile dano> and it comes up with the following: You need to extract the certificate from that PKCS#7 package and use the resulting file. Since OPENSSL PKCS7 will give you the certificate in PEM format, the best you can probably do is save that in a .PEM file, and then use it as follows: openssl s_client -connect :636 -CAfile .PEM Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Newbie Needs Help!!!
Trying to use OpenSSL 0.9.8 on a VMS system. Specifically, I'm having problems using OpenSSL underneath OpenLDAP to talk to another non-OpenLDAP system and can't get THAT to work. It's been suggested that I use OPENSSL S_CLIENT to ensure my basic certificates are correct. My CA is another system (Windows) and I requested it to create the trusted root certificate in PKCS7 format, which I copied to my VMS system. I can use OPENSSL PKCS7 to view the package contents, and it contains a single certificate. I then tried to do an OPENSSL VERIFY on that package, and it keeps coming up with "NO START LINE" and "EXPECTING: TRUSTED CERTIFICATE" errors. Finally, I tried "openssl s_clienit -connect :636 -certfore der -CAfile and it comes up with the following: CONNECTED(0003) depth=0 /CN=adtest.altdomain2000.psccos.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /CN=adtest.altdomain2000.psccos.com verify error:num=27:certificate not trusted verify return:1 depth=0 /CN=adtest.altdomain2000.psccos.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=adtest.altdomain2000.psccos.com i:/C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca --- Server certificate -BEGIN CERTIFICATE- MIIFijCCBTSgAwIBAgIKYQMaYgAAAjANBgkqhkiG9w0BAQUFADBhMQswCQYD VQQGEwJVUzELMAkGA1UECBMCQ08xGTAXBgNVBAcTEENvbG9yYWRvIFNwcmluZ3Mx GTAXBgNVBAoTEFByb2Nlc3MgU29mdHdhcmUxDzANBgNVBAMTBmhvbWVjYTAeFw0w NjA5MTQxNjU3NDdaFw0wODA5MTQxNzA3NDdaMCoxKDAmBgNVBAMTH2FkdGVzdC5h bHRkb21haW4yMDAwLnBzY2Nvcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ AoGBAL7nVRO9pvigvqim4cqetHJu56PQlPw2MSJe2/SYcxrnA2SsdSvbBAwVTEPZ KUqGOyGfXDV02S07MX9GR5X66YS1qkGfBzeSbX7Yx1ti9+J/PODkyZh2vwlRtTHj PQzZ0X6p+Z5eevDxkE4lJ0jWitvhwlZF3H3X3AsBsjltqnQpAgMBAAGjggO/MIID uzALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMC8G CSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAd BgNVHQ4EFgQUIdHmJF8ClHMKh5ciCj+UrQtuwZkwgZoGA1UdIwSBkjCBj4AUovZy djchr9mywKUw9EvkaSvBoDuhZaRjMGExCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJD TzEZMBcGA1UEBxMQQ29sb3JhZG8gU3ByaW5nczEZMBcGA1UEChMQUHJvY2VzcyBT b2Z0d2FyZTEPMA0GA1UEAxMGaG9tZWNhghBRMq+GTAdMg0PtqnzeHGUHMIIBGQYD VR0fBIIBEDCCAQwwgcWggcKggb+GgbxsZGFwOi8vL0NOPWhvbWVjYSxDTj1hZHRl c3QsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2Vz LENOPUNvbmZpZ3VyYXRpb24sREM9YWx0ZG9tYWluMjAwMCxEQz1wc2Njb3MsREM9 Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RjbGFzcz1j UkxEaXN0cmlidXRpb25Qb2ludDBCoECgPoY8aHR0cDovL2FkdGVzdC5hbHRkb21h aW4yMDAwLnBzY2Nvcy5jb20vQ2VydEVucm9sbC9ob21lY2EuY3JsMIIBNAYIKwYB BQUHAQEEggEmMIIBIjCBtQYIKwYBBQUHMAKGgahsZGFwOi8vL0NOPWhvbWVjYSxD Tj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049 Q29uZmlndXJhdGlvbixEQz1hbHRkb21haW4yMDAwLERDPXBzY2NvcyxEQz1jb20/ Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdGNsYXNzPWNlcnRpZmljYXRpb25BdXRo b3JpdHkwaAYIKwYBBQUHMAKGXGh0dHA6Ly9hZHRlc3QuYWx0ZG9tYWluMjAwMC5w c2Njb3MuY29tL0NlcnRFbnJvbGwvYWR0ZXN0LmFsdGRvbWFpbjIwMDAucHNjY29z LmNvbV9ob21lY2EuY3J0MEsGA1UdEQREMEKgHwYJKwYBBAGCNxkBoBIEENuNPV9r O/hNswSDqOAydGmCH2FkdGVzdC5hbHRkb21haW4yMDAwLnBzY2Nvcy5jb20wDQYJ KoZIhvcNAQEFBQADQQBBwxlOIAYrY7CjsR09PEgdDhGDdcky2VYUQ6sYf8Bict28 jezE705z/+I9heVmrNQESfHPvSEk/bJ/Ge3vG+S4 -END CERTIFICATE- -END CERTIFICATE- subject=/CN=adtest.altdomain2000.psccos.com issuer=/C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca --- Acceptable client certificate CA names /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority - G2/OU =(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority - G2/OU =(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Freemail CA/[EMAIL PROTECTED] m /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Premium CA/[EMAIL PROTECTED] /C=US/O=First Data Digital Certificates Inc./CN=First Data Digital Certificates Inc. Certification Authority /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Basic CA/[EMAIL PROTECTED] /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU =(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=GTE Corporation/CN=GTE CyberTrust Root /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Glob al Root /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Roo t Authority /C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca /C=US/O=VeriSign, Inc./OU=Class 2
Re: Newbie Needs Help!!!
Hello, > Trying to use OpenSSL 0.9.8 on a VMS system. Specifically, I'm having > problems using OpenSSL underneath OpenLDAP to talk to another non-OpenLDAP > system and can't get THAT to work. It's been suggested that I use OPENSSL > S_CLIENT to ensure my basic certificates are correct. > > My CA is another system (Windows) and I requested it to create the trusted > root certificate in PKCS7 format, which I copied to my VMS system. I can > use OPENSSL PKCS7 to view the package contents, and it contains a single > certificate. I then tried to do an OPENSSL VERIFY on that package, and it > keeps coming up with "NO START LINE" and "EXPECTING: TRUSTED CERTIFICATE" > errors. Finally, I tried "openssl s_clienit -connect :636 > -certfore der -CAfile > and it comes up with the following: s_client uses PEM certificate list, try to convert this: $ openssl pkcs7 -in CA.p7b -inform der -print_certs > CA.pem and then use CA.pem in CAfile parameter. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Newbie Needs Help!!!
Trying to use OpenSSL 0.9.8 on a VMS system. Specifically, I'm having problems using OpenSSL underneath OpenLDAP to talk to another non-OpenLDAP system and can't get THAT to work. It's been suggested that I use OPENSSL S_CLIENT to ensure my basic certificates are correct. My CA is another system (Windows) and I requested it to create the trusted root certificate in PKCS7 format, which I copied to my VMS system. I can use OPENSSL PKCS7 to view the package contents, and it contains a single certificate. I then tried to do an OPENSSL VERIFY on that package, and it keeps coming up with "NO START LINE" and "EXPECTING: TRUSTED CERTIFICATE" errors. Finally, I tried "openssl s_clienit -connect :636 -certfore der -CAfile and it comes up with the following: CONNECTED(0003) depth=0 /CN=adtest.altdomain2000.psccos.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /CN=adtest.altdomain2000.psccos.com verify error:num=27:certificate not trusted verify return:1 depth=0 /CN=adtest.altdomain2000.psccos.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=adtest.altdomain2000.psccos.com i:/C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca --- Server certificate -BEGIN CERTIFICATE- MIIFijCCBTSgAwIBAgIKYQMaYgAAAjANBgkqhkiG9w0BAQUFADBhMQswCQYD VQQGEwJVUzELMAkGA1UECBMCQ08xGTAXBgNVBAcTEENvbG9yYWRvIFNwcmluZ3Mx GTAXBgNVBAoTEFByb2Nlc3MgU29mdHdhcmUxDzANBgNVBAMTBmhvbWVjYTAeFw0w NjA5MTQxNjU3NDdaFw0wODA5MTQxNzA3NDdaMCoxKDAmBgNVBAMTH2FkdGVzdC5h bHRkb21haW4yMDAwLnBzY2Nvcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ AoGBAL7nVRO9pvigvqim4cqetHJu56PQlPw2MSJe2/SYcxrnA2SsdSvbBAwVTEPZ KUqGOyGfXDV02S07MX9GR5X66YS1qkGfBzeSbX7Yx1ti9+J/PODkyZh2vwlRtTHj PQzZ0X6p+Z5eevDxkE4lJ0jWitvhwlZF3H3X3AsBsjltqnQpAgMBAAGjggO/MIID uzALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMC8G CSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAd BgNVHQ4EFgQUIdHmJF8ClHMKh5ciCj+UrQtuwZkwgZoGA1UdIwSBkjCBj4AUovZy djchr9mywKUw9EvkaSvBoDuhZaRjMGExCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJD TzEZMBcGA1UEBxMQQ29sb3JhZG8gU3ByaW5nczEZMBcGA1UEChMQUHJvY2VzcyBT b2Z0d2FyZTEPMA0GA1UEAxMGaG9tZWNhghBRMq+GTAdMg0PtqnzeHGUHMIIBGQYD VR0fBIIBEDCCAQwwgcWggcKggb+GgbxsZGFwOi8vL0NOPWhvbWVjYSxDTj1hZHRl c3QsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2Vz LENOPUNvbmZpZ3VyYXRpb24sREM9YWx0ZG9tYWluMjAwMCxEQz1wc2Njb3MsREM9 Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RjbGFzcz1j UkxEaXN0cmlidXRpb25Qb2ludDBCoECgPoY8aHR0cDovL2FkdGVzdC5hbHRkb21h aW4yMDAwLnBzY2Nvcy5jb20vQ2VydEVucm9sbC9ob21lY2EuY3JsMIIBNAYIKwYB BQUHAQEEggEmMIIBIjCBtQYIKwYBBQUHMAKGgahsZGFwOi8vL0NOPWhvbWVjYSxD Tj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049 Q29uZmlndXJhdGlvbixEQz1hbHRkb21haW4yMDAwLERDPXBzY2NvcyxEQz1jb20/ Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdGNsYXNzPWNlcnRpZmljYXRpb25BdXRo b3JpdHkwaAYIKwYBBQUHMAKGXGh0dHA6Ly9hZHRlc3QuYWx0ZG9tYWluMjAwMC5w c2Njb3MuY29tL0NlcnRFbnJvbGwvYWR0ZXN0LmFsdGRvbWFpbjIwMDAucHNjY29z LmNvbV9ob21lY2EuY3J0MEsGA1UdEQREMEKgHwYJKwYBBAGCNxkBoBIEENuNPV9r O/hNswSDqOAydGmCH2FkdGVzdC5hbHRkb21haW4yMDAwLnBzY2Nvcy5jb20wDQYJ KoZIhvcNAQEFBQADQQBBwxlOIAYrY7CjsR09PEgdDhGDdcky2VYUQ6sYf8Bict28 jezE705z/+I9heVmrNQESfHPvSEk/bJ/Ge3vG+S4 -END CERTIFICATE- -END CERTIFICATE- subject=/CN=adtest.altdomain2000.psccos.com issuer=/C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca --- Acceptable client certificate CA names /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority - G2/OU =(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority - G2/OU =(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Freemail CA/[EMAIL PROTECTED] m /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Premium CA/[EMAIL PROTECTED] /C=US/O=First Data Digital Certificates Inc./CN=First Data Digital Certificates Inc. Certification Authority /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Basic CA/[EMAIL PROTECTED] /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU =(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=GTE Corporation/CN=GTE CyberTrust Root /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Glob al Root /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Roo t Authority /C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca /C=US/O=VeriSign, Inc./OU=Class 2