On Wednesday 25 July 2001 05:55, Jean-Marc Desperrier wrote: > George Staikos wrote: > > On Tuesday 24 July 2001 20:26, George Staikos wrote: > > > I've been noticing many problems with some new certificates which > > > are being issued by Entrust and Verisign. > > > > Actually I looked it over more closely and it's not that a "/CPS" > > field is there, but that they have "www.verisign.com/CPS" in the OU > > field. Anyhow, things are very corrupt still. Text output of one of > > these certs results in lots of garbage. > > Verisign certificates have this since very long. > This is not the source of your problem. > > You should send the certificate to the list to get a diagnostic of what is > going wrong. > > I'm surprised about what you're describing, are you sure this is not just a > stupid error like forgetting to use the -inform der parameter ? Ok here are the der-encoded certificates extracted from cert7.db for Verisign and Equifax (note it's _not_ entrust as I mistakenly said above). I don't remember which is the exact correct one for Verisign so I sent all the class 3 certificates. I also attached wellsfargo.pem and ibm.pem along with text versions. These were the certificates presented in a web session which I captured and saved to disk. Trying to verify these pem files against the CA files I gave fails. Netscape can verify them just fine though, and all certificates I've come across which aren't signed by these CA files seem to work fine too. A lot of people have seen this problem recently. The wellsfargo.txt looks very corrupt to me btw. As does the Equifax CA file (#26). -- George Staikos ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]