On Thu, Sep 20, 2007, [EMAIL PROTECTED] wrote:
> Hi,
>
> I am trying to perform certification verification for a self-signed CA
> certificate as well as another certificate signed by this CA. The problem is
> that the verification always fails.
>
> Here is what I do:
>
> /* Convert the DER en
Douglas Lee wrote:
> Still no good.
Sounds like you followed the steps correctly, but that your server still can't
find the private key needed to use the cert. Did you concatenate newreq.pem
onto newcert.pem? Doing so puts both the cert and the key in the same file,
which you can pass to both
See below...
Douglas Lee wrote:
>
>
> 2) Generate new CR file using "CA.sh -newreq". This generates the file
> certificate request file newreq.pem.
>
It also generates a new private key in privkey.pem
> 3) Sign the CR file using the CA file by "CA.sh -sign". This generates
> the certificat
On Mon, Mar 27, 2000 at 06:36:32PM +1000, Douglas Lee wrote:
> 2) Generate new CR file using "CA.sh -newreq". This generates the file
> certificate request file newreq.pem.
And the private key in newkey.pem.
> 3) Sign the CR file using the CA file by "CA.sh -sign". This generates
> the certific
Still no good.
Let's recap what I have done to generate the certificates. Maybe I'm
doing something wrong there. Im using the CA.sh script under
openssl/apps to generate the certificates.
1) Generate new CA files using "CA.sh -newca". This generates CA
certificate cacert.pem and CA key cakey.p
Sounds like your client can't get its hands on the CA cert needed to
verify the server's cert.
SSL_CTX_use_certificate_file and SSL_CTX_use_RSAPrivateKey_file load the
client-side cert and key you need to present to the server IF the server
requires authentication of clients (which it doesn'
i = X509_verify(x, X509_get_pubkey(x))
will only succeed on self-signed (CA) certificates like Verisign.
What you need to do is verify the cert using the pubkey of it's issuer:
i = X509_verify(x, X509_get_pubkey(issuer_of_x))
but this will leak memory since X509_get_pubkey(x) adds one to the r
>Verifying is a complex process
Now *there's* an understatement. :) The IETF PKIX draft update to the
cert/CRL profile takes 20 pages to specify "path validation." See ch6 of
http://www.imc.org/draft-ietf-pkix-new-part1
> and I don't recommend you do it manually:
Vandyke&Associates has releas
Yuriy Stul wrote:
>
> Hello all!
>
> For each certificate in chain I do next:
>
> i = X509_verify(x, X509_get_pubkey(x));
>
> For many sites (www.chase.com, www.ubs.com, ...) I have that first certificate
> in chain has unmatched signature (i == 0). Only last certificate (from RSA )
> has
At 12:43 04.01.00 +0200, you wrote:
>Hello all!
Hello,
>For each certificate in chain I do next:
>
>i = X509_verify(x, X509_get_pubkey(x));
>For many sites (www.chase.com, www.ubs.com, ...) I have that first
certificate
>in chain has unmatched signature (i == 0). Only last certificate (from RSA
10 matches
Mail list logo
