Re: TLSv1 - Certificate Chain
I just figured out that client and server works fine if I generate the certificates using openssl tools.The difference between the two certification generation is in AuthorityKeyIdentifier extension in child (client/server) cert. I have openssl-cert-generator.bat, my-cert-generator.bat. I am using RootCA and ServiceProviderCA (the 2 CAs) as input for both generators.**RootCAIssuer=/C=US/O=XYZ, Inc./CN=RootCASubject=/C=US/O=XYZ, Inc./CN=RootCA SerialNum=1dServiceProviderCAIssuer=/C=US/O=XYZ, Inc./CN=RootCA Subject=/C=US/O=XYZ, Inc./CN=ServiceProviderCASerialNum=1eSubject KeyID=35 cf 22 4b b0 ea 94 f5 39 8f 84 8a 8f 10 de 4b d7 03 e4 e3 ** Generating client.pem using my-cert-generator.batIssuer=/C=US/O=XYZ, Inc./CN=ServiceProviderCASubject=/C=US/O=XYZ, Inc./CN=opensslClientAuthority Key Identifier Has following info KeyID=35 cf 22 4b b0 ea 94 f5 39 8f 84 8a 8f 10 de 4b d7 03 e4 e3Certificate Issuer: Directory Address: CN=ServiceProviderCA O=XYZ, Inc. C=USCertificate SerialNumber=1e **Generating client.pem using openssl-cert-generator.bat Issuer=/C=US/O=XYZ, Inc./CN=ServiceProviderCA Subject=/C=US/O=XYZ, Inc./CN=opensslClient Authority Key Identifier Has following info KeyID=35 cf 22 4b b0 ea 94 f5 39 8f 84 8a 8f 10 de 4b d7 03 e4 e3 Certificate Issuer: Directory Address: CN=RootCA O=XYZ, Inc. C=US Certificate SerialNumber=1e When generated using OpenSSL, the KeyID and the SerialNumber are from ServiceProviderCA, but the Certificate Issuer Details refer to RootCA.As per RFC, the identification may be based on either the key identifier or on the issuer name and serial number. I removed issuer name and serial number from the both generation scripts. Everything is working fine (certificate chain verification is successful) I used following command in openssl-cert-generator.batopenssl req -new -key client.key -out client.csr -sha1 -subj /C=US/O=XYZ, Inc./CN=opensslClientopenssl x509 -req -days 7300 -CA spca.crt -CAkey spca.key -CAcreateserial -in client.csr -extfile client.ext -out client.crt#spca - ServiceProviderCA client.ext extendedKeyUsage=serverAuth,clientAuthauthorityKeyIdentifier=keyid:always,issuer:always keyUsage = critical,digitalSignature,keyEncipherment client.ext Please confirm the following1) Certificate generation using openssl, embeds RootCA's issuer details instead of ServiceProviderCA's (immediate CA) details (when authorityKeyIdentifier=keyid:always,issuer:always)? 2) When both Issuer KeyID and issuer detail serial number are specified, and all refer to immediate CA, OpenSSL fails to verify the certificate chain?thankschinmaya On 12/9/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: * I tried with -Veify 9 option. No change in the output still fails with same error (unable to get local issuer certificate). * However with the change in syntax of openssl verify (as you suggested), the verification is failing server.pem - has only ServerCert does not include ServiceProvideCA- snippet C:\OpenSSL\binopenssl verify -verbose -purpose sslserver -untrusted \certs\spca.pem -CApath \certs \certs\server.pem C:\certs\ClientCert.pem: /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslClienterror 20 at 0 depth lookup:unable to get local issuer certificate- snippet Is there way to to know the reason behind the failure? The certs are NOT generated using openssl. The ServiceProviderCA does not have Extended Key Usage extension, does it make a difference. The alternative is to include the intermediate CA in the trusted store and they will then be searched for and added automatically.* I had put the $hash.0 files (incluing ServiceProviderCA) in \certs directory which is included in CApath (-CApath \certs)thanks chinmaya On 12/9/05, Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Thu, Dec 08, 2005, [EMAIL PROTECTED] wrote: Hi, I am using to OpenSSL as TLS client and server. I am using certificate chain of size 3 on both sides. On Server Side RootCA (root.pem) ServiceProviderCA (spca.pem) ServerCert (server.pem) On Client Side RootCA (root.pem) ServiceProviderCA (spca.pem) ClientCert (client.pem) I have placed the certs and the hash files ($hash.0) of all certs in c:\certs I am running server as C:\OpenSSL\binopenssl s_server -Verify yes -cert \certs\server.pem -key \certs\server.key -CApath \certs -CAfile \certs\root.pem -tls1 [also tried without -CAfile option i.e. just with -CApath] and client as C:\OpenSSL\binopenssl s_client -cipher AES128-SHA -cert \certs\client.pem -key \certs\client.key -CApath \certs -CAfile \certs\root.pem -tls1 [also tried without -CAfile option i.e. just with -CApath] When above commands are executed, TLS connections gets established, however. I get some certificate verification errors (both on server and client sides) on server side (opensslClient is CN in ClientCert) depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslClient verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/O=XYZ,
RE: TLSv1 - Certificate Chain
You may have created the certificates improperly. I had the same problem last year. You may want to post this on openldap and not openssl though. Good Luck, Victor From: owner-openssl-users@openssl.org [mailto:owner-openssl-users@openssl.org] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 08, 2005 6:55 PM To: openssl-users@openssl.org Subject: TLSv1 - Certificate Chain Hi, I am using to OpenSSL as TLS client and server. I am using certificate chain of size 3 on both sides. On Server Side RootCA (root.pem) ServiceProviderCA ( spca.pem) ServerCert (server.pem) On Client Side RootCA (root.pem) ServiceProviderCA (spca.pem) ClientCert (client.pem) I have placed the certs and the hash files ($hash.0) of all certs in c:\certs I am running server as C:\OpenSSL\binopenssl s_server -Verify yes -cert \certs\server.pem -key \certs\server.key -CApath \certs -CAfile \certs\root.pem -tls1 [also tried without -CAfile option i.e. just with -CApath] and client as C:\OpenSSL\binopenssl s_client -cipher AES128-SHA -cert \certs\client.pem -key \certs\client.key -CApath \certs -CAfile \certs\root.pem -tls1 [also tried without -CAfile option i.e. just with -CApath] When above commands are executed, TLS connections gets established, however. I get some certificate verification errors (both on server and client sides) on server side (opensslClient is CN in ClientCert) depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslClient verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslClient verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslClient verify error:num=21:unable to verify the first certificate verify return:1 on client side (opensslServer is CN in ServerCert) depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslServer verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslServer verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslServer verify error:num=21:unable to verify the first certificate verify return:1 However, everying works fine if I have my ServerCert, and ClientCert signed directly by RootCA. i.e. on server side: RootCA and ServerCert and on client side RootCA and ClientCert. Shouldn't it work with an intermediate certificate (ServericeProviderCA) or am I missing any configuration. Any input is greatly appreciated -- thanks in advance chinmaya
Re: TLSv1 - Certificate Chain
Thanks Victor,But I am able to veify the certs using following commandclientChain.pem has ServiceProviderCA and ClientCert (in that order)serverChain.pem has ServiceProviderCA and ServerCert (in that order) C:\OpenSSL\binopenssl verify -CApath \certs clientChain.pem c:\certs\clientChain.pem: OKC:\OpenSSL\binopenssl verify -CApath \certs serverChain.pem c:\certs\serverChain.pem: OKIn addition I used default server.pem as input to run both client and server side, even that seems to fail.C:\OpenSSL\binopenssl s_server -Verify yes -tls1 -cert server.pemC:\OpenSSL\binopenssl s_client -tls1 -cipher AES128-SHA -cert server.pemServer logsdepth=0 /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit)verify error:num=20:unable to get local issuer certificateverify return:1depth=0 /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit) verify error:num=27:certificate not trustedverify return:1depth=0 /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit)verify error:num=21:unable to verify the first certificateverify return:1 Client logsdepth=0 /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit)verify error:num=20:unable to get local issuer certificateverify return:1depth=0 /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit) verify error:num=27:certificate not trustedverify return:1depth=0 /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit)verify error:num=21:unable to verify the first certificateverify return:1 I am using (OpenSSL 0.9.8a 11 Oct 2005) server.pem -issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)subject= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit) -BEGIN CERTIFICATE-MIIB6TCCAVICAQYwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYDVQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNMDAxMDE2MjIzMTAzWhcNMDMwMTE0 MjIzMTAzWjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGlNlcnZlciB0ZXN0IGNlcnQgKDUxMiBiaXQpMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ+zw4Qnlf8SMVIPFe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVDTGiXav6ooKXfX3j/7tdkuD8Ey2// Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQCT0grFQeZaqYb5EYfk20XixZV4GmyAbXMftG1Eo7qGiMhYzRwGNWxEYojf5PZkYZXvSqZ/ZXHXa4g59jK/rJNnaVGMk+xIX8mxQvlV0n5O9PIha5BX5teZnkHKgL8aKKLKW1BK7YTngsfSzzaeame5iKfzitAE+OjGF+PFKbwX8Q== -END CERTIFICATE--BEGIN RSA PRIVATE KEY-MIIBPAIBAAJBAJ+zw4Qnlf8SMVIPFe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVDTGiXav6ooKXfX3j/7tdkuD8Ey2//Kv7+ue0CAwEAAQJAN6W31vDEP2DjdqhzCDDuOA4NACqoiFqyblo7yc2tM4h4xMbC3Yx5UKMN9ZkCtX0gzrz6DyF47bdKcWBzNWCj gQIhANEoojVt7hq+SQ6MCN6FTAysGgQf56Q3TYoJMoWvdiXVAiEAw3e3rc+VJpOzrHuDo6bgpjUAAXM+v3fcpsfZSNO6V7kCIQCtbVjanpUwvZkMI9by02oUk9taki3bPzPfAfNPYAbCJQIhAJXNQDWyqwn/lGmR11cqY2y9nZ1+5w3yHGatLrcDnQHxAiEAvnlEGo8K85u+KwIOimM48ZG8oTk7iFdkqLJR1utT3aU= -END RSA PRIVATE KEY-issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit)subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)-BEGIN CERTIFICATE-MIICJjCCAY8CAQAwDQYJKoZIhvcNAQEEBQAwXDELMAkGA1UEBhMCQVUxEzARBgNV BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYDVQQDExNUZXN0IFBDQSAoMTAyNCBiaXQpMB4XDTk3MDYwOTEzNTc0M1oXDTAxMDYwOTEzNTc0M1owWzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYDVQQDExJUZXN0IENBICgxMDI0 IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKO7o8t116VP6cgybTsZDCZhr95nYlZuya3aCi1IKoztqwWnjbmDFIriOqGFPrZQ+moMETC9D59iRW/dFXSv1F65ka/XY2hLh9exCCo7XuUcDs53Qp3bI3AmMqHjgzE8oO3ajyJAzJkTTOUecQU2mw/gI4tMM0LqWMQS7luTy4+xAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAM7achv3v hLQJcv/65eGEpBXM40ZDVoFQFFJWaY5p883HTqLB1x4FdzsXHH0QKBTcKpWwqyu4YDm3fb8oDugw72bCzfyZK/zVZPR/hVlqI/fvU109Qoc+7oPvIXWky71HfcK6ZBCAq30KIqGM/uoM60INq97qjDmCJapagcNBGQs=-END CERTIFICATE-issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit) subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit)-BEGIN CERTIFICATE-MIICJzCCAZACAQAwDQYJKoZIhvcNAQEEBQAwXDELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYD VQQDExNUZXN0IFBDQSAoMTAyNCBiaXQpMB4XDTk3MDYwOTEzNTczN1oXDTAxMDYwOTEzNTczN1owXDELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYDVQQDExNUZXN0IFBDQSAoMTAyNCBiaXQpMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdoWk/3+WcMlfjIrkg 40ketmnQaEogQe1LLcuOJV6rKfUSAsPgwgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp22Jp85PmemiDzyUIStwk72qhp1imbANZvlmlCFKiQrjUyuDfu4TABmn+kkt3vR1YBEOGt+IFye1UBVSATVdRJ2UVhwIDAQABMA0GCSqGSIb3DQEBBAUAA4GBABNA1u/SCg/LJZWb7GliiKJsvuhxlE4E5JxQF2zMub/CSNbF97//tYSyj96sxeFQxZXbcjm9 xt6mr/xNLA4szNQMJ4P+L7b5e/jC5DSqlwS+CUYJgaFs/SP+qJoCSu1bR3IM9XWOcRBpDmcBbYLkSyB92WURvsZ1LtjEcn+cdQVI-END CERTIFICATE- server.pem -thankschinmaya On 12/9/05, Chevalier, Victor T. [EMAIL PROTECTED] wrote: You may have created the certificates
Re: TLSv1 - Certificate Chain
On Fri, Dec 09, 2005, [EMAIL PROTECTED] wrote: But I am able to veify the certs using following command clientChain.pem has ServiceProviderCA and ClientCert (in that order) serverChain.pem has ServiceProviderCA and ServerCert (in that order) C:\OpenSSL\binopenssl verify -CApath \certs clientChain.pem c:\certs\clientChain.pem: OK C:\OpenSSL\binopenssl verify -CApath \certs serverChain.pem c:\certs\serverChain.pem: OK In addition I used default server.pem as input to run both client and server side, even that seems to fail. C:\OpenSSL\binopenssl s_server -Verify yes -tls1 -cert server.pem Well yes isn't a valid argument to the -Verify option for a start. Its a numerical value with the maximum chain length. Try giving it a value like 9. Also note that the verify command verifies the first certificate in a file. So the above two commands end up verifying the ServiceProviderCA twice which isn't what you want... Something like: openssl verify -CApath \certs -purpose sslserver -untrusted ServiceProviderCA.pem ServerCert.pem is more realistic. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: TLSv1 - Certificate Chain
These may be of use to you, you may have seen them, but I solved most of my problems with these howtos. http://www.openldap.org/faq/data/cache/185.html http://web.singnet.com.sg/~garyttt/ Victor From: owner-openssl-users@openssl.org [mailto:owner-openssl-users@openssl.org] On Behalf Of [EMAIL PROTECTED] Sent: Friday, December 09, 2005 11:44 AM To: openssl-users@openssl.org Subject: Re: TLSv1 - Certificate Chain Thanks Victor, But I am able to veify the certs using following command clientChain.pem has ServiceProviderCA and ClientCert (in that order) serverChain.pem has ServiceProviderCA and ServerCert (in that order) C:\OpenSSL\binopenssl verify -CApath \certs clientChain.pem c:\certs\clientChain.pem: OK C:\OpenSSL\binopenssl verify -CApath \certs serverChain.pem c:\certs\serverChain.pem: OK In addition I used default server.pem as input to run both client and server side, even that seems to fail. C:\OpenSSL\binopenssl s_server -Verify yes -tls1 -cert server.pem C:\OpenSSL\binopenssl s_client -tls1 -cipher AES128-SHA -cert server.pem Server logs depth=0 /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit) verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit) verify error:num=27:certificate not trusted verify return:1 depth=0 /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit) verify error:num=21:unable to verify the first certificate verify return:1 Client logs depth=0 /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit) verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit) verify error:num=27:certificate not trusted verify return:1 depth=0 /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit) verify error:num=21:unable to verify the first certificate verify return:1 I am using (OpenSSL 0.9.8a 11 Oct 2005) server.pem - issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit) subject= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit) -BEGIN CERTIFICATE- MIIB6TCCAVICAQYwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNMDAxMDE2MjIzMTAzWhcNMDMwMTE0 MjIzMTAzWjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGlNlcnZlciB0ZXN0IGNl cnQgKDUxMiBiaXQpMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ+zw4Qnlf8SMVIP Fe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVDTGiXav6ooKXfX3j/7tdkuD8Ey2// Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQCT0grFQeZaqYb5EYfk20XixZV4 GmyAbXMftG1Eo7qGiMhYzRwGNWxEYojf5PZkYZXvSqZ/ZXHXa4g59jK/rJNnaVGM k+xIX8mxQvlV0n5O9PIha5BX5teZnkHKgL8aKKLKW1BK7YTngsfSzzaeame5iKfz itAE+OjGF+PFKbwX8Q== -END CERTIFICATE- -BEGIN RSA PRIVATE KEY- MIIBPAIBAAJBAJ+zw4Qnlf8SMVIPFe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVD TGiXav6ooKXfX3j/7tdkuD8Ey2//Kv7+ue0CAwEAAQJAN6W31vDEP2DjdqhzCDDu OA4NACqoiFqyblo7yc2tM4h4xMbC3Yx5UKMN9ZkCtX0gzrz6DyF47bdKcWBzNWCj gQIhANEoojVt7hq+SQ6MCN6FTAysGgQf56Q3TYoJMoWvdiXVAiEAw3e3rc+VJpOz rHuDo6bgpjUAAXM+v3fcpsfZSNO6V7kCIQCtbVjanpUwvZkMI9by02oUk9taki3b PzPfAfNPYAbCJQIhAJXNQDWyqwn/lGmR11cqY2y9nZ1+5w3yHGatLrcDnQHxAiEA vnlEGo8K85u+KwIOimM48ZG8oTk7iFdkqLJR1utT3aU= -END RSA PRIVATE KEY- issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit) subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit) -BEGIN CERTIFICATE- MIICJjCCAY8CAQAwDQYJKoZIhvcNAQEEBQAwXDELMAkGA1UEBhMCQVUxEzARBgNV BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYD VQQDExNUZXN0IFBDQSAoMTAyNCBiaXQpMB4XDTk3MDYwOTEzNTc0M1oXDTAxMDYw OTEzNTc0M1owWzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYDVQQDExJUZXN0IENBICgxMDI0 IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKO7o8t116VP6cgybTsZ DCZhr95nYlZuya3aCi1IKoztqwWnjbmDFIriOqGFPrZQ+moMETC9D59iRW/dFXSv 1F65ka/XY2hLh9exCCo7XuUcDs53Qp3bI3AmMqHjgzE8oO3ajyJAzJkTTOUecQU2 mw/gI4tMM0LqWMQS7luTy4+xAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAM7achv3v hLQJcv/65eGEpBXM40ZDVoFQFFJWaY5p883HTqLB1x4FdzsXHH0QKBTcKpWwqyu4 YDm3fb8oDugw72bCzfyZK/zVZPR/hVlqI/fvU109Qoc+7oPvIXWky71HfcK6ZBCA q30KIqGM/uoM60INq97qjDmCJapagcNBGQs= -END CERTIFICATE- issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit) subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit) -BEGIN CERTIFICATE- MIICJzCCAZACAQAwDQYJKoZIhvcNAQEEBQAwXDELMAkGA1UEBhMCQVUxEzARBgNV BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYD VQQDExNUZXN0IFBDQSAoMTAyNCBiaXQpMB4XDTk3MDYwOTEzNTczN1oXDTAxMDYw OTEzNTczN1owXDELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYDVQQDExNUZXN0IFBDQSAoMTAy NCBiaXQpMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdoWk/3+WcMlfjIrkg
Re: TLSv1 - Certificate Chain
On Thu, Dec 08, 2005, [EMAIL PROTECTED] wrote: Hi, I am using to OpenSSL as TLS client and server. I am using certificate chain of size 3 on both sides. On Server Side RootCA (root.pem) ServiceProviderCA (spca.pem) ServerCert (server.pem) On Client Side RootCA (root.pem) ServiceProviderCA (spca.pem) ClientCert (client.pem) I have placed the certs and the hash files ($hash.0) of all certs in c:\certs I am running server as C:\OpenSSL\binopenssl s_server -Verify yes -cert \certs\server.pem -key \certs\server.key -CApath \certs -CAfile \certs\root.pem -tls1 [also tried without -CAfile option i.e. just with -CApath] and client as C:\OpenSSL\binopenssl s_client -cipher AES128-SHA -cert \certs\client.pem -key \certs\client.key -CApath \certs -CAfile \certs\root.pem -tls1 [also tried without -CAfile option i.e. just with -CApath] When above commands are executed, TLS connections gets established, however. I get some certificate verification errors (both on server and client sides) on server side (opensslClient is CN in ClientCert) depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslClient verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslClient verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslClient verify error:num=21:unable to verify the first certificate verify return:1 on client side (opensslServer is CN in ServerCert) depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslServer verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslServer verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslServer verify error:num=21:unable to verify the first certificate verify return:1 However, everying works fine if I have my ServerCert, and ClientCert signed directly by RootCA. i.e. on server side: RootCA and ServerCert and on client side RootCA and ClientCert. Shouldn't it work with an intermediate certificate (ServericeProviderCA) or am I missing any configuration. Any input is greatly appreciated The server and client need to include the intermediate CA(s) (ServiceProviderCA) in the chain they send to the peer. This is normally done by an additional certificates option but s_client and s_server don't have those at present. The alternative is to include the intermediate CA in the trusted store and they will then be searched for and added automatically. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: TLSv1 - Certificate Chain
* I tried with -Veify 9 option. No change in the output still fails with same error (unable to get local issuer certificate).* However with the change in syntax of openssl verify (as you suggested), the verification is failing server.pem - has only ServerCert does not include ServiceProvideCA- snippet C:\OpenSSL\binopenssl verify -verbose -purpose sslserver -untrusted \certs\spca.pem -CApath \certs \certs\server.pem C:\certs\ClientCert.pem: /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslClienterror 20 at 0 depth lookup:unable to get local issuer certificate- snippet Is there way to to know the reason behind the failure? The certs are NOT generated using openssl. The ServiceProviderCA does not have Extended Key Usage extension, does it make a difference. The alternative is to include the intermediate CA in the trusted store and they will then be searched for and added automatically.* I had put the $hash.0 files (incluing ServiceProviderCA) in \certs directory which is included in CApath (-CApath \certs)thankschinmaya On 12/9/05, Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Thu, Dec 08, 2005, [EMAIL PROTECTED] wrote: Hi, I am using to OpenSSL as TLS client and server. I am using certificate chain of size 3 on both sides. On Server Side RootCA (root.pem) ServiceProviderCA (spca.pem) ServerCert (server.pem) On Client Side RootCA (root.pem) ServiceProviderCA (spca.pem) ClientCert (client.pem) I have placed the certs and the hash files ($hash.0) of all certs in c:\certs I am running server as C:\OpenSSL\binopenssl s_server -Verify yes -cert \certs\server.pem -key \certs\server.key -CApath \certs -CAfile \certs\root.pem -tls1 [also tried without -CAfile option i.e. just with -CApath] and client as C:\OpenSSL\binopenssl s_client -cipher AES128-SHA -cert \certs\client.pem -key \certs\client.key -CApath \certs -CAfile \certs\root.pem -tls1 [also tried without -CAfile option i.e. just with -CApath] When above commands are executed, TLS connections gets established, however. I get some certificate verification errors (both on server and client sides) on server side (opensslClient is CN in ClientCert) depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslClient verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslClient verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslClient verify error:num=21:unable to verify the first certificate verify return:1 on client side (opensslServer is CN in ServerCert) depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslServer verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslServer verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/O=XYZ, Inc./OU=ABCD/CN=opensslServer verify error:num=21:unable to verify the first certificate verify return:1 However, everying works fine if I have my ServerCert, and ClientCert signed directly by RootCA. i.e. on server side: RootCA and ServerCert and on client side RootCA and ClientCert. Shouldn't it work with an intermediate certificate (ServericeProviderCA) or am I missing any configuration. Any input is greatly appreciatedThe server and client need to include the intermediate CA(s)(ServiceProviderCA) in the chain they send to the peer.This is normally done by an additional certificates option but s_client and s_server don't have those at present.The alternative is to include the intermediate CA in the trusted store andthey will then be searched for and added automatically.Steve.--Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant.Funding needed! Details on homepage.Homepage: http://www.drh-consultancy.demon.co.uk__ OpenSSL Project http://www.openssl.orgUser Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]