Re: issue with p12 creation and network solutions EV SSL
On Tuesday 26 Apr 2011 19:35:48 Mounir IDRASSI wrote: Hi James, I got the the correct certificate chain from my Windows 7 box. Microsoft tends to update its trusted CA certificates store more quickly and regularly than Mozilla or Linux distros: the latest update was last month on March 23rd 2011. It is sad that even Network Solutions guys are not aware of this update...This issue should not have existed at the first place! Mounir, I don't think Microsoft's March 23rd Auto Root Update is actually relevant here. It didn't change any Root Certificates that NetSol's cert chains use, AFAIK. Your Windows 7 box was able to build the chain because CryptoAPI chases AIA- caIssuers URLs. Firefox doesn't do this. If it did, James wouldn't have noticed any problem in the first place. James, I see that your server is now sending the correct chain. A tip: you don't have to send the self-signed Root Certificate (Subject and Issuer = AddTrust External CA Root). Each client either already trusts it (in which case there's no point sending it) or it doesn't already trust it (in which case there's no point sending it, because sending it won't make it magically become trusted). Good luck, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 4/26/2011 7:07 PM, James Chase wrote: You've got the wrong chain file. I understand that NetSol switched to a new EV Issuing CA a few months ago. Are you definitely using the chain file that they supplied with your latest site cert? I am using the chain file that they suggest downloading which already has the intermediate files concatenated into a file -- but apparently it is wrong. I checked the .crt file that they include with my site certificate and they are the same certs that are in the chain file they have precompiled. I can't believe how much time I have spent on this issue and could the root of the issue be that they are not packaging the right files with my new certificate? wtf Mounir, where did you get those certificates?? The only cert that you used that came with my certificate is the last one, AddTrustExternalCARoot -- the other two are NOT included and are not in NetSol's precompiled chain file. Your chain file works when I test with apache, and I have just created a p12 from those chain files and that works too! Halellujah. But seriously, how did you synthesize that chain file? And how would I be expected to create that on my own?? I spent an hour and a half on the phone with NetSol telling them their was something wrong with their files and they just kept saying it was my fault and they will bill me $120/hour to fix it. On Tue, Apr 26, 2011 at 8:19 AM, James Chase chase1...@gmail.com mailto:chase1...@gmail.com wrote: Well my results are quite different, and I guess point to my p12 not being correctly created. Strangely, the p12 I am running this test on works in production and doesn't produce a warning (I re-created last years certificate as a new p12 using the same process I am trying with this years). I also tried running this on my test apache site, where I am just using the plain old certificate, key and network solutions supplied chain file -- and the openssl s_client command returns better output but I still get a warning! [me@myserver ~]$ openssl s_client -connect www.example.com:443 http://www.example.com:443 CONNECTED(0003) depth=0 /serialNumber=03-11- 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachuset ts/1 .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15 http://2.5.4.15=V1.0, Clause 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A Company International Ltd verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /serialNumber=03-11- 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachuset ts/1 .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15 http://2.5.4.15=V1.0, Clause 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A Company International Ltd verify error:num=27:certificate not trusted verify return:1 depth=0 /serialNumber=03-11- 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachuset ts/1 .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15 http://2.5.4.15=V1.0, Clause 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A Company International
Re: issue with p12 creation and network solutions EV SSL
On Monday 25 Apr 2011 20:07:03 James Chase wrote: I simplified the issue a bit in order to try and understand what is going on here and found that the SSL certificate that Network Solutions is providing, along with the intermediate chain file cannot be verified by newer installs of Firefox. Hi James. That seems unlikely. Try browsing to NetSol's own EV site (https://www.networksolutions.com) in FF4. I see the EV green bar and no browser warnings. Could you post the top part of the output from openssl s_client -connect yourdomain:yourport ? Then we can compare it with... $ openssl s_client -connect www.networksolutions.com:443 CONNECTED(0003) depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/serialNumber=3713002/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/C=US/ST=VA/L=Herndon/O=Network Solutions, LLC/OU=Technology Services/OU=Secure Link EV SSL/CN=www.networksolutions.com i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV Server CA 1 s:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV Server CA i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority 2 s:/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- It doesn't have anything to do with the p12 file I am creating (I loaded up the network solutions files in apache and tested). Who would be at fault here? Am I still doing something wrong, or is this Mozilla's fault for not including a needed root ca file? It seems the missing link is the AddTrustExternalCARoot certificate. I tried adding the AddTrustExternalCARoot cert to the top of my certificate chain, but this causes apache to break, and then not start complaining of [error] Failed to configure CA certificate chain!. I used a chain file that I have used in previous years, and that did allow apache to start but I still cannot verify with Firefox. Then I tried using last years (and soon expiring) certificate for my site and that works FINE. So ... Network Solutions screwed something up when issuing my certificate (this is the second one I have had re-issued) or am I doing something wrong. I have no idea what that could be at this point -- I have never had so much trouble with an SSL certificate and am not an expert by any means. Anyone have any thoughts? I called NS earlier in this process and they said not our problem but perhaps I will try again. On Mon, Apr 25, 2011 at 11:01 AM, James Chase chase1...@gmail.com wrote: I did run the verification, and didn't have an issue there. Still am not able to figure out how to correctly create this as the only way the p12 compiles is by dropping the -chain command but that creates ssl verifications warnings in Firefox web browsers. openssl req -verify -in www.example.com.csr -key www.example.com.key verify OK -BEGIN CERTIFICATE REQUEST- CERTIFICATE DATA HERE -END CERTIFICATE REQUEST- On Sat, Apr 23, 2011 at 4:41 PM, James Chase chase1...@gmail.com wrote: I am using the same system -- I have tried with last years chain file as well. The only thing that would be different to my knowledge are possibly the version of openssl and the renewed crt file if it possibly requires new CA's (I did use their most current certificates before I tried using my old cafile). openssl verify never returns, I'm not sure what the syntax I am shooting for there is. When i try without using the -chain command then it compiles the p12 and it does seem to load in Chrome and IE ,but in FF3 I get: secure.example.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer) And in FF4 I get: store.innertraditions.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer) I have always used the -chain and -CAfile options together when creating p12's. On Sat, Apr 23, 2011 at 12:32 PM, Crypto Sal crypto@gmail.comwrote: On 04/21/2011 06:51 PM, James Chase wrote: I have done this multiple years in a row with the exact same process but now I get the following error when I try to create my SSL: openssl pkcs12 -export -chain -CAfile cachain.crt -out my.domain.com.p12 -inkey my.domain.com.key -in MY.DOMAIN.COM.crt Error unable to get local issuer certificate getting chain. I concatenated
Re: issue with p12 creation and network solutions EV SSL
Well my results are quite different, and I guess point to my p12 not being correctly created. Strangely, the p12 I am running this test on works in production and doesn't produce a warning (I re-created last years certificate as a new p12 using the same process I am trying with this years). I also tried running this on my test apache site, where I am just using the plain old certificate, key and network solutions supplied chain file -- and the openssl s_client command returns better output but I still get a warning! [me@myserver ~]$ openssl s_client -connect www.example.com:443 CONNECTED(0003) depth=0 /serialNumber=03-11- 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1.3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15=V1.0, Clause 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A Company International Ltd verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /serialNumber=03-11- 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1.3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15=V1.0, Clause 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A Company International Ltd verify error:num=27:certificate not trusted verify return:1 depth=0 /serialNumber=03-11- 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1.3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15=V1.0, Clause 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A Company International Ltd verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/serialNumber=03-11- 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1.3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15=V1.0, Clause 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A Company International Ltd/OU=Book Sales/OU=Secure Link EV SSL/CN=www.example.com i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV SSL CA --- On Mon, Apr 25, 2011 at 6:16 PM, Rob Stradling rob.stradl...@comodo.comwrote: On Monday 25 Apr 2011 20:07:03 James Chase wrote: I simplified the issue a bit in order to try and understand what is going on here and found that the SSL certificate that Network Solutions is providing, along with the intermediate chain file cannot be verified by newer installs of Firefox. Hi James. That seems unlikely. Try browsing to NetSol's own EV site (https://www.networksolutions.com) in FF4. I see the EV green bar and no browser warnings. Could you post the top part of the output from openssl s_client -connect yourdomain:yourport ? Then we can compare it with... $ openssl s_client -connect www.networksolutions.com:443 CONNECTED(0003) depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/serialNumber=3713002/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/C=US/ST=VA/L=Herndon/O=Network Solutions, LLC/OU=Technology Services/OU=Secure Link EV SSL/CN=www.networksolutions.com i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV Server CA 1 s:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV Server CA i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority 2 s:/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- It doesn't have anything to do with the p12 file I am creating (I loaded up the network solutions files in apache and tested). Who would be at fault here? Am I still doing something wrong, or is this Mozilla's fault for not including a needed root ca file? It seems the missing link is the AddTrustExternalCARoot certificate. I tried adding the AddTrustExternalCARoot cert to the top of my certificate chain, but this causes apache to break, and then not start complaining of [error] Failed to configure CA certificate chain!. I used a chain file that I have used in previous years, and that did allow apache to start but I still cannot verify with Firefox. Then I tried using last years (and soon expiring) certificate for my site and that works FINE. So ... Network Solutions screwed something up when issuing my certificate (this is the second one I have had re-issued) or am I doing something wrong. I have no idea what that could be at this point -- I have never had so much trouble with an SSL certificate and am not an expert by any means. Anyone have any thoughts? I called NS earlier in this process and they said not our problem but perhaps I will try
Re: issue with p12 creation and network solutions EV SSL
Someone suggested it would be helpful to post the chain file and the site's public certificate to the list. If it is helpful, here is the site cert (and below that their supplied chain file) -BEGIN CERTIFICATE- MIIF+TCCBOGgAwIBAgIRAOQNdqGKinmztM0sRh0SkkowDQYJKoZIhvcNAQEFBQAw WTELMAkGA1UEBhMCVVMxITAfBgNVBAoTGE5ldHdvcmsgU29sdXRpb25zIEwuTC5D LjEnMCUGA1UEAxMeTmV0d29yayBTb2x1dGlvbnMgRVYgU2VydmVyIENBMB4XDTEx MDQxMzAwMDAwMFoXDTEyMDQyOTIzNTk1OVowggE0MRIwEAYDVQQFEwlWLTU4NTA4 LTAxEzARBgsrBgEEAYI3PAIBAxMCVVMxEzARBgsrBgEEAYI3PAIBAhMCVlQxHTAb BgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMQswCQYDVQQGEwJVUzEOMAwGA1UE ERMFMDU3NjcxCzAJBgNVBAgTAlZUMRIwEAYDVQQHEwlSb2NoZXN0ZXIxFDASBgNV BAkTC09uZSBQYXJrIFN0MSswKQYDVQQKEyJJbm5lciBUcmFkaXRpb25zIEludGVy bmF0aW9uYWwgTHRkMRMwEQYDVQQLEwpCb29rIFNhbGVzMRswGQYDVQQLExJTZWN1 cmUgTGluayBFViBTU0wxIjAgBgNVBAMTGXN0b3JlLmlubmVydHJhZGl0aW9ucy5j b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDF66W6jHcsm5vPLFWt 8Vk+CSUINYZCibR8xMMYcgj1OCXArNJTWYJIPVFTcdMY97U0OmOGB/w44zzywKOz Yd3756/S5QYfokwkZ6A+dibbdOwzQX/qP2yGMD/zRPP8bALbAeiIEu5gnZkyqZVy UITMY7OnyV/VK0bP15o4/WMcFVMq7J2pZoY/7e3//Bhzd2yj4UtL/MQ+WVBq2Mh9 1XC5o+db2J4IP7HWEd14h5buRBlS+gdR+aPnQRfUgD8msOcrIHMuPo+cK0swGjLl lvEsvaMHsIdwTG0mnesLxMlYo1gbC0v/zJNbKmTOkcWU26V4rM9/3to+82wd2u2V XkAXAgMBAAGjggHdMIIB2TAfBgNVHSMEGDAWgBSKNeQ1OrwRoZ779U80ZtVLrExi aDAdBgNVHQ4EFgQUgUqFpUzoDl9o44trs/oaV2Lv0+swDgYDVR0PAQH/BAQDAgWg MAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMG4G A1UdIARnMGUwYwYMKwYBBAGGDgECAQgBMFMwUQYIKwYBBQUHAgEWRWh0dHA6Ly93 d3cubmV0d29ya3NvbHV0aW9ucy5jb20vbGVnYWwvU1NMLWxlZ2FsLXJlcG9zaXRv cnktZXYtY3BzLmpzcDBIBgNVHR8EQTA/MD2gO6A5hjdodHRwOi8vY3JsLm5ldHNv bHNzbC5jb20vTmV0d29ya1NvbHV0aW9uc0VWU2VydmVyQ0EuY3JsMHoGCCsGAQUF BwEBBG4wbDBDBggrBgEFBQcwAoY3aHR0cDovL3d3dy5uZXRzb2xzc2wuY29tL05l dHdvcmtTb2x1dGlvbnNFVlNlcnZlckNBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov L29jc3AubmV0c29sc3NsLmNvbTAkBgNVHREEHTAbghlzdG9yZS5pbm5lcnRyYWRp dGlvbnMuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQBusLaUTTTcvQl0up5zKYsfNPoS YXRsSC0tOEBdKBPvCDHmJlpNkjE/IPYTsRT/oxnWL3QORWKfClz9ygIy9L6AJb8w BDaopoHEt7oNIPjjyp3ArOyjkGOZTllPJMyv/SznKQVQLmsO8uMEyV5AXIHyW8nm OC0jMS28dELdFXrBOIPNUGw/e2lsRQbfoaMQY/vuSbLv1nlL28K3vXj3Jn/rSXaa Zc25pUZPQTGObF5is9CGBPnBW1zrtkj1jV+J05eRb5Qqc3zUMvlgUg58CNZjWraS pjyc7DtAqYyE//iPI+JBOSGBlc3Q6Qedxs3O/O9TrDpAyVQAffL5f1EgeQey -END CERTIFICATE- And the chain file -BEGIN CERTIFICATE- MIIEPDCCAySgAwIBAgIQSEus8arH1xND0aJ0NUmXJTANBgkqhkiG9w0BAQUFADBv MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF eHRlcm5hbCBDQSBSb290MB4XDTA1MDYwNzA4MDkxMFoXDTIwMDUzMDEwNDgzOFow gZcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBMYWtl IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMY aHR0cDovL3d3dy51c2VydHJ1c3QuY29tMR8wHQYDVQQDExZVVE4tVVNFUkZpcnN0 LUhhcmR3YXJlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsffDOD+0 qH/POYJRZ9Btn9L/WPPnnyvsDYlUmbk4mRb34CF5SMK7YXQSlh08anLVPBBnOjnt KxPNZuuVCTOkbJex6MbswXV5nEZejavQav25KlUXEFSzGfCa9vGxXbanbfvgcRdr ooj7AN/+GjF3DJoBerEy4ysBBzhuw6VeI7xFm3tQwckwj9vlK3rTW/szQB6g1ZgX vIuHw4nTXaCOsqqq9o5piAbF+okh8widaS4JM5spDUYPjMxJNLBpUb35Bs1orWZM vD6sYb0KiA7I3z3ufARMnQpea5HW7sftKI2rTYeJc9BupNAeFosU4XZEA39jrOTN SZzFkvSrMqFIWwIDAQABo4GqMIGnMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8D veAky1QaMB0GA1UdDgQWBBShcl8mGyiYQ5VdBzfVhZadS9LDRTAOBgNVHQ8BAf8E BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8v Y3JsLnVzZXJ0cnVzdC5jb20vQWRkVHJ1c3RFeHRlcm5hbENBUm9vdC5jcmwwDQYJ KoZIhvcNAQEFBQADggEBADzse+Cuow6WbTDXhcbSaFtFWoKmNA+wyZIjXhFtCBGy dAkjOjUlc1heyrl8KPpH7PmgA1hQtlPvjNs55Gfp2MooRtSn4PU4dfjny1y/HRE8 akCbLURW0/f/BSgyDBXIZEWT6CEkjy3aeoR7T8/NsiV8dxDTlNEEkaglHAkiD31E NREU768A/l7qX46w2ZJZuvwTlqAYAVbO2vYoC7Gv3VxPXLLzj1pxz+0YrWOIHY6V 9+qV5x+tkLiECEeFfyIvGh1IMNZMCNg3GWcyK+tc0LL8blefBDVekAB+EcfeEyrN pG1FJseIVqDwavfY5/wnfmcI0L36tsNhAgFlubgvz1o= -END CERTIFICATE- -BEGIN CERTIFICATE- MIIEsTCCA5mgAwIBAgIQVGi1eXSfYP/+kzbRw2KvLjANBgkqhkiG9w0BAQUFADCB lzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3Qt SGFyZHdhcmUwHhcNMDYxMjAxMDAwMDAwWhcNMjAwNTMwMTA0ODM4WjBiMQswCQYD VQQGEwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMuMTAwLgYD VQQDEydOZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkvH6SMG3G2I4rC7xGzuAnlt7e +foS0zwzc7MEL7xxjOWftiJgPl9dzgn/ggwbmlFQGiaJ3dVhXRncEg8tCqJDXRfQ NJIg6nPPOCwGJgl6cvf6UDL4wpPTaaIjzkGxzOTVHzbRijr4jGPiFFlp7Q3Tf2vo uAPlT2rlmGNpSAW+Lv8ztumXWWn4Zxmuk2GWRBXTcrA/vGp97Eh/jcOrqnErU2lB UzS1sLnFBgrEsEX1QV1uiUV7PTsmjHTC5dLRfbIR1PtYMiKagMnc/Qzpf14Dl847 ABSHJ3A4qY5usyd2mFHgBeMhqxrVhSI8KbWaFsWAqPS7azCPL0YCorEMIuDTAgMB AAGjggErMIIBJzAfBgNVHSMEGDAWgBShcl8mGyiYQ5VdBzfVhZadS9LDRTAdBgNV HQ4EFgQUITDJ+wDXTpjah6oq0KcusUAxp0wwDgYDVR0PAQH/BAQDAgEGMA8GA1Ud EwEB/wQFMAMBAf8wfgYDVR0gBHcwdTAOBgwrBgEEAYYOAQIBAwEwYwYMKwYBBAGG
Re: issue with p12 creation and network solutions EV SSL
Hi, Your SSL certificate has an Authority Key Identifier extension which has a value of 8a 35 e4 35 3a bc 11 a1 9e fb f5 4f 34 66 d5 4b ac 4c 62 68. This indicates that it has NOT been issued by the Network Solutions EV Server CA certificate that is present in the chain file you posted: this one has a Subject Key Identifier extension equal to b6 4e 85 9d 84 1f 1b 1d d4 52 89 4e 07 96 2d f9 de f1 8f cc. Actually, your SSL certificate has been signed by an updated Network Solutions EV Server CA certificate which was reissued on 11/26/2010 and that has a Subject Key Identifier extension equal to the Authority Key Identifier extension of your SSL certificate. And this update CA certificate is in turn reissued by an updated Network Solutions Certificate Authority certificate that was issued on 10/10/2010. So, the chain file you are using is wrong and you should use the updated one. I have reconstructed the correct one for you. Here it is : == -BEGIN CERTIFICATE- MIIE8DCCA9igAwIBAgIQeqyiHVOdFFQRPARe2DX46jANBgkqhkiG9w0BAQUFADBi MQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMu MTAwLgYDVQQDEydOZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3Jp dHkwHhcNMTAxMTI2MDAwMDAwWhcNMjAwNTMwMTA0ODM4WjBZMQswCQYDVQQGEwJV UzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMuMScwJQYDVQQDEx5O ZXR3b3JrIFNvbHV0aW9ucyBFViBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDQNVzi55UamI/YT9bV3H5cgr+fzEv6PEqBvNrFp+mtmiaP 3BksYxI+Vt915kis40eQf18I8aOA0dDNJc1Z860uw+sGCf45JDmioezExJrXoAhV /sjFZC785waIlcE+MVpV8B2YBJS0f17ckKmhhceqErmH0aNxEQJsfpvJOevstVgn i6OYEaCrg/skMACuAlf+gOLKj0hgYznbr5Z0g7s7bO+zM8am3DHp+byqtx7I9H9Y aXLuWo82Cv4yERw0PXmIadfaMHM2aOH8EChB7mx/iAg+k3djiqrIqHvLNHAEoWw7 bUgn1D0Xugyj4Ypaqx/hcibDjiYyKNlySQ7u5XVDAgMBAAGjggGpMIIBpTAfBgNV HSMEGDAWgBQhMMn7ANdOmNqHqirQpy6xQDGnTDAdBgNVHQ4EFgQUijXkNTq8EaGe +/VPNGbVS6xMYmgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAw ZgYDVR0gBF8wXTBbBgRVHSAAMFMwUQYIKwYBBQUHAgEWRWh0dHA6Ly93d3cubmV0 d29ya3NvbHV0aW9ucy5jb20vbGVnYWwvU1NMLWxlZ2FsLXJlcG9zaXRvcnktZXYt Y3BzLmpzcDBSBgNVHR8ESzBJMEegRaBDhkFodHRwOi8vY3JsLm5ldHNvbHNzbC5j b20vTmV0d29ya1NvbHV0aW9uc0NlcnRpZmljYXRlQXV0aG9yaXR5LmNybDCBggYI KwYBBQUHAQEEdjB0MEsGCCsGAQUFBzAChj9odHRwOi8vY3J0LnVzZXJ0cnVzdC5j b20vTmV0d29ya1NvbHV0aW9uc0FkZFRydXN0RVZTZXJ2ZXJDQS5jcnQwJQYIKwYB BQUHMAGGGWh0dHA6Ly9vY3NwLm5ldHNvbHNzbC5jb20wDQYJKoZIhvcNAQEFBQAD ggEBADtBp7D2JBjlyHcOqAW86EhXzoEj/xeYaAGJxWmewqtFq3NMJclvdwVyEOue XnIM99N/vGMcsOVMRAGZH+He/HDjd+XY6aktld0Fz27Fx9ncL9FAfo/pR4uH2YEz pStMuS6k4ajMHGvPBDZaqqSgdDAbUSDHYblQGOS/K8P4pvqMiRYhmadaQ5kDbXTg i+qweI4gAdIpsozxeyoIsmJqMDZdXKc7Su73BzJHLfaIYgypJOBw36KmQgx7fSgF 1wtt5YT78MmIs6nZAcOcmNzLg0fs+dGeoFxdpzFSuF2wkQNvHmrv4zYC4xpdMUqQ FhvXMwUw+wCqKOtfDecUViddfLQ= -END CERTIFICATE- -BEGIN CERTIFICATE- MIIFLjCCBBagAwIBAgIQXclynOqKeVoX7tu/zCghSzANBgkqhkiG9w0BAQUFADBv MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF eHRlcm5hbCBDQSBSb290MB4XDTEwMTAxMDEwMTAxMFoXDTIwMDUzMDEwNDgzOFow YjELMAkGA1UEBhMCVVMxITAfBgNVBAoTGE5ldHdvcmsgU29sdXRpb25zIEwuTC5D LjEwMC4GA1UEAxMnTmV0d29yayBTb2x1dGlvbnMgQ2VydGlmaWNhdGUgQXV0aG9y aXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5Lx+kjBtxtiOKwu8 Rs7gJ5be3vn6EtM8M3OzBC+8cYzln7YiYD5fXc4J/4IMG5pRUBomid3VYV0Z3BIP LQqiQ10X0DSSIOpzzzgsBiYJenL3+lAy+MKT02miI85Bsczk1R820Yo6+Ixj4hRZ ae0N039r6LgD5U9q5ZhjaUgFvi7/M7bpl1lp+GcZrpNhlkQV03KwP7xqfexIf43D q6pxK1NpQVM0tbC5xQYKxLBF9UFdbolFez07Jox0wuXS0X2yEdT7WDIimoDJ3P0M 6X9eA5fOOwAUhydwOKmObrMndphR4AXjIasa1YUiPCm1mhbFgKj0u2swjy9GAqKx DCLg0wIDAQABo4IB0TCCAc0wHwYDVR0jBBgwFoAUrb2YejS0Jvf6xCZU7wO94CTL VBowHQYDVR0OBBYEFCEwyfsA106Y2oeqKtCnLrFAMadMMA4GA1UdDwEB/wQEAwIB BjAPBgNVHRMBAf8EBTADAQH/MG4GA1UdIARnMGUwYwYMKwYBBAGGDgECAQgBMFMw UQYIKwYBBQUHAgEWRWh0dHA6Ly93d3cubmV0d29ya3NvbHV0aW9ucy5jb20vbGVn YWwvU1NMLWxlZ2FsLXJlcG9zaXRvcnktZXYtY3BzLmpzcDBEBgNVHR8EPTA7MDmg N6A1hjNodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vQWRkVHJ1c3RFeHRlcm5hbENB Um9vdC5jcmwwgbMGCCsGAQUFBwEBBIGmMIGjMD8GCCsGAQUFBzAChjNodHRwOi8v Y3J0LnVzZXJ0cnVzdC5jb20vQWRkVHJ1c3RFeHRlcm5hbENBUm9vdC5wN2MwOQYI KwYBBQUHMAKGLWh0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9BZGRUcnVzdFVUTlNH Q0NBLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNvbTAN BgkqhkiG9w0BAQUFAAOCAQEAQbJTbI4r8iImYQdMT+qI4AhyNO14VhPNMHy2F058 a4W/3JAbXWAl/rNC49vE/7BLKBxRZn/3CB9cxRLm4cXRjnoW6I1iuYQ/vGdR+AoT H6egK4vifO35cCPFLIq5IQx+SdufcuWdFSLySL814kswfwLYoCx96qE+d/a0wVoV o+fSspKwv1NQSzhdErPCINa9GY/Q9LrE5Dg1OMPbe03AnkTdf8rNd4/lr6S12SYm FeeW+Y2mWbh/YIOKZMaN/ZeWcdpgcIwfTfwx2pUQ7Yahy1ihDqjusinPpIuUl0PC +v/apwI8P+RW99qe6MpAjiuvQ00uqbfh0w4VvAkvbbBFlA== -END CERTIFICATE- -BEGIN CERTIFICATE- MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
Re: issue with p12 creation and network solutions EV SSL
On Tuesday 26 Apr 2011 13:29:00 James Chase wrote: Someone suggested it would be helpful to post the chain file and the site's public certificate to the list. If it is helpful, here is the site cert (and below that their supplied chain file) -BEGIN CERTIFICATE- snip -END CERTIFICATE- Piping that site cert through openssl x509 -noout -issuer gives... issuer= /C=US/O=Network Solutions L.L.C./CN=Network Solutions EV Server CA And the chain file -BEGIN CERTIFICATE- snip -END CERTIFICATE- -BEGIN CERTIFICATE- snip -END CERTIFICATE- -BEGIN CERTIFICATE- snip -END CERTIFICATE- Piping that last CA cert through openssl x509 -noout -subject gives... subject= /C=US/O=Network Solutions L.L.C./CN=Network Solutions EV SSL CA You've got the wrong chain file. I understand that NetSol switched to a new EV Issuing CA a few months ago. Are you definitely using the chain file that they supplied with your latest site cert? On Tue, Apr 26, 2011 at 8:19 AM, James Chase chase1...@gmail.com wrote: Well my results are quite different, and I guess point to my p12 not being correctly created. Strangely, the p12 I am running this test on works in production and doesn't produce a warning (I re-created last years certificate as a new p12 using the same process I am trying with this years). I also tried running this on my test apache site, where I am just using the plain old certificate, key and network solutions supplied chain file -- and the openssl s_client command returns better output but I still get a warning! [me@myserver ~]$ openssl s_client -connect www.example.com:443 CONNECTED(0003) depth=0 /serialNumber=03-11- 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1 .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15=V1.0, Clause 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A Company International Ltd verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /serialNumber=03-11- 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1 .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15=V1.0, Clause 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A Company International Ltd verify error:num=27:certificate not trusted verify return:1 depth=0 /serialNumber=03-11- 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1 .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15=V1.0, Clause 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A Company International Ltd verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/serialNumber=03-11- 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1 .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15=V1.0, Clause 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A Company International Ltd/OU=Book Sales/OU=Secure Link EV SSL/CN=www.example.com i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV SSL CA --- On Mon, Apr 25, 2011 at 6:16 PM, Rob Stradling rob.stradl...@comodo.comwrote: On Monday 25 Apr 2011 20:07:03 James Chase wrote: I simplified the issue a bit in order to try and understand what is going on here and found that the SSL certificate that Network Solutions is providing, along with the intermediate chain file cannot be verified by newer installs of Firefox. Hi James. That seems unlikely. Try browsing to NetSol's own EV site (https://www.networksolutions.com) in FF4. I see the EV green bar and no browser warnings. Could you post the top part of the output from openssl s_client -connect yourdomain:yourport ? Then we can compare it with... $ openssl s_client -connect www.networksolutions.com:443 CONNECTED(0003) depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/serialNumber=3713002/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2 .1.2=Delaware/businessCategory=Private Organization/C=US/ST=VA/L=Herndon/O=Network Solutions, LLC/OU=Technology Services/OU=Secure Link EV SSL/CN=www.networksolutions.com i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV Server CA 1 s:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV Server CA i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority 2 s:/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
Re: issue with p12 creation and network solutions EV SSL
You've got the wrong chain file. I understand that NetSol switched to a new EV Issuing CA a few months ago. Are you definitely using the chain file that they supplied with your latest site cert? I am using the chain file that they suggest downloading which already has the intermediate files concatenated into a file -- but apparently it is wrong. I checked the .crt file that they include with my site certificate and they are the same certs that are in the chain file they have precompiled. I can't believe how much time I have spent on this issue and could the root of the issue be that they are not packaging the right files with my new certificate? wtf Mounir, where did you get those certificates?? The only cert that you used that came with my certificate is the last one, AddTrustExternalCARoot -- the other two are NOT included and are not in NetSol's precompiled chain file. Your chain file works when I test with apache, and I have just created a p12 from those chain files and that works too! Halellujah. But seriously, how did you synthesize that chain file? And how would I be expected to create that on my own?? I spent an hour and a half on the phone with NetSol telling them their was something wrong with their files and they just kept saying it was my fault and they will bill me $120/hour to fix it. On Tue, Apr 26, 2011 at 8:19 AM, James Chase chase1...@gmail.com wrote: Well my results are quite different, and I guess point to my p12 not being correctly created. Strangely, the p12 I am running this test on works in production and doesn't produce a warning (I re-created last years certificate as a new p12 using the same process I am trying with this years). I also tried running this on my test apache site, where I am just using the plain old certificate, key and network solutions supplied chain file -- and the openssl s_client command returns better output but I still get a warning! [me@myserver ~]$ openssl s_client -connect www.example.com:443 CONNECTED(0003) depth=0 /serialNumber=03-11- 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1 .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15=V1.0, Clause 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A Company International Ltd verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /serialNumber=03-11- 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1 .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15=V1.0, Clause 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A Company International Ltd verify error:num=27:certificate not trusted verify return:1 depth=0 /serialNumber=03-11- 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1 .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15=V1.0, Clause 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A Company International Ltd verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/serialNumber=03-11- 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1 .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15=V1.0, Clause 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A Company International Ltd/OU=Book Sales/OU=Secure Link EV SSL/CN=www.example.com i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV SSL CA --- On Mon, Apr 25, 2011 at 6:16 PM, Rob Stradling rob.stradl...@comodo.comwrote: On Monday 25 Apr 2011 20:07:03 James Chase wrote: I simplified the issue a bit in order to try and understand what is going on here and found that the SSL certificate that Network Solutions is providing, along with the intermediate chain file cannot be verified by newer installs of Firefox. Hi James. That seems unlikely. Try browsing to NetSol's own EV site (https://www.networksolutions.com) in FF4. I see the EV green bar and no browser warnings. Could you post the top part of the output from openssl s_client -connect yourdomain:yourport ? Then we can compare it with... $ openssl s_client -connect www.networksolutions.com:443 CONNECTED(0003) depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/serialNumber=3713002/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2 .1.2=Delaware/businessCategory=Private Organization/C=US/ST=VA/L=Herndon/O=Network Solutions, LLC/OU=Technology Services/OU=Secure Link EV SSL/CN=www.networksolutions.com i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV Server CA 1 s:/C=US/O=Network Solutions
Re: issue with p12 creation and network solutions EV SSL
Hi James, I got the the correct certificate chain from my Windows 7 box. Microsoft tends to update its trusted CA certificates store more quickly and regularly than Mozilla or Linux distros: the latest update was last month on March 23rd 2011. It is sad that even Network Solutions guys are not aware of this update...This issue should not have existed at the first place! Good luck, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 4/26/2011 7:07 PM, James Chase wrote: You've got the wrong chain file. I understand that NetSol switched to a new EV Issuing CA a few months ago. Are you definitely using the chain file that they supplied with your latest site cert? I am using the chain file that they suggest downloading which already has the intermediate files concatenated into a file -- but apparently it is wrong. I checked the .crt file that they include with my site certificate and they are the same certs that are in the chain file they have precompiled. I can't believe how much time I have spent on this issue and could the root of the issue be that they are not packaging the right files with my new certificate? wtf Mounir, where did you get those certificates?? The only cert that you used that came with my certificate is the last one, AddTrustExternalCARoot -- the other two are NOT included and are not in NetSol's precompiled chain file. Your chain file works when I test with apache, and I have just created a p12 from those chain files and that works too! Halellujah. But seriously, how did you synthesize that chain file? And how would I be expected to create that on my own?? I spent an hour and a half on the phone with NetSol telling them their was something wrong with their files and they just kept saying it was my fault and they will bill me $120/hour to fix it. On Tue, Apr 26, 2011 at 8:19 AM, James Chase chase1...@gmail.com mailto:chase1...@gmail.com wrote: Well my results are quite different, and I guess point to my p12 not being correctly created. Strangely, the p12 I am running this test on works in production and doesn't produce a warning (I re-created last years certificate as a new p12 using the same process I am trying with this years). I also tried running this on my test apache site, where I am just using the plain old certificate, key and network solutions supplied chain file -- and the openssl s_client command returns better output but I still get a warning! [me@myserver ~]$ openssl s_client -connect www.example.com:443 http://www.example.com:443 CONNECTED(0003) depth=0 /serialNumber=03-11- 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1 .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15 http://2.5.4.15=V1.0, Clause 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A Company International Ltd verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /serialNumber=03-11- 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1 .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15 http://2.5.4.15=V1.0, Clause 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A Company International Ltd verify error:num=27:certificate not trusted verify return:1 depth=0 /serialNumber=03-11- 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1 .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15 http://2.5.4.15=V1.0, Clause 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A Company International Ltd verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/serialNumber=03-11- 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachusetts/1 .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15 http://2.5.4.15=V1.0, Clause 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A Company International Ltd/OU=Book Sales/OU=Secure Link EV SSL/CN=www.example.com http://www.example.com i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV SSL CA --- On Mon, Apr 25, 2011 at 6:16 PM, Rob Stradling rob.stradl...@comodo.com mailto:rob.stradl...@comodo.comwrote: On Monday 25 Apr 2011 20:07:03 James Chase wrote: I simplified the issue a bit in order to try and understand what is going on here and found that the SSL certificate that Network Solutions is providing, along with the intermediate chain file cannot be verified by newer installs of Firefox. Hi James. That seems
Re: issue with p12 creation and network solutions EV SSL
I got the the correct certificate chain from my Windows 7 box. Microsoft tends to update its trusted CA certificates store more quickly and regularly than Mozilla or Linux distros: the latest update was last month on March 23rd 2011. It is sad that even Network Solutions guys are not aware of this update...This issue should not have existed at the first place! Good luck, I really can't thank you enough. I wouldn't have known how to follow the chain and find which files were needed to build up their intermediate certificate chain (though thanks to your notes, I do now). I still can't believe how badly Network Solutions screwed this situation up and the extremely poor level of support I received from them. They should have been able to figure out I was using the wrong chain files -- they supposedly ran scripts on my ssl certificate when I called them. Hope someone else can benefit from being aware of this issue. Thanks for all your help guys!
Re: issue with p12 creation and network solutions EV SSL
I did run the verification, and didn't have an issue there. Still am not able to figure out how to correctly create this as the only way the p12 compiles is by dropping the -chain command but that creates ssl verifications warnings in Firefox web browsers. openssl req -verify -in www.example.com.csr -key www.example.com.key verify OK -BEGIN CERTIFICATE REQUEST- CERTIFICATE DATA HERE -END CERTIFICATE REQUEST- On Sat, Apr 23, 2011 at 4:41 PM, James Chase chase1...@gmail.com wrote: I am using the same system -- I have tried with last years chain file as well. The only thing that would be different to my knowledge are possibly the version of openssl and the renewed crt file if it possibly requires new CA's (I did use their most current certificates before I tried using my old cafile). openssl verify never returns, I'm not sure what the syntax I am shooting for there is. When i try without using the -chain command then it compiles the p12 and it does seem to load in Chrome and IE ,but in FF3 I get: secure.example.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer) And in FF4 I get: store.innertraditions.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer) I have always used the -chain and -CAfile options together when creating p12's. On Sat, Apr 23, 2011 at 12:32 PM, Crypto Sal crypto@gmail.com wrote: On 04/21/2011 06:51 PM, James Chase wrote: I have done this multiple years in a row with the exact same process but now I get the following error when I try to create my SSL: openssl pkcs12 -export -chain -CAfile cachain.crt -out my.domain.com.p12 -inkey my.domain.com.key -in MY.DOMAIN.COM.crt Error unable to get local issuer certificate getting chain. I concatenated all the intermediate files in the order they suggest, and according to the process I have documented that has worked the past few years. I also downloaded the pre-built chain file where they already concatenated the needed files together but I get the same error. I also tried the same chain file I used last year -- same results. Googling is not helping me understand this error. Anyone know what could be going on here with the EV SSL creation for Network Solutions? -- Beware of all enterprises that require new clothes. -- Henry David Thoreau James, You don't need to include the -chain' option since you are providing the chain with the '-CAfile' option. '-chain' is if you want OpenSSL to build the chain for you. --Crypto.Sal -- Beware of all enterprises that require new clothes. -- Henry David Thoreau -- Beware of all enterprises that require new clothes. -- Henry David Thoreau
Re: issue with p12 creation and network solutions EV SSL
I simplified the issue a bit in order to try and understand what is going on here and found that the SSL certificate that Network Solutions is providing, along with the intermediate chain file cannot be verified by newer installs of Firefox. It doesn't have anything to do with the p12 file I am creating (I loaded up the network solutions files in apache and tested). Who would be at fault here? Am I still doing something wrong, or is this Mozilla's fault for not including a needed root ca file? It seems the missing link is the AddTrustExternalCARoot certificate. I tried adding the AddTrustExternalCARoot cert to the top of my certificate chain, but this causes apache to break, and then not start complaining of [error] Failed to configure CA certificate chain!. I used a chain file that I have used in previous years, and that did allow apache to start but I still cannot verify with Firefox. Then I tried using last years (and soon expiring) certificate for my site and that works FINE. So ... Network Solutions screwed something up when issuing my certificate (this is the second one I have had re-issued) or am I doing something wrong. I have no idea what that could be at this point -- I have never had so much trouble with an SSL certificate and am not an expert by any means. Anyone have any thoughts? I called NS earlier in this process and they said not our problem but perhaps I will try again. On Mon, Apr 25, 2011 at 11:01 AM, James Chase chase1...@gmail.com wrote: I did run the verification, and didn't have an issue there. Still am not able to figure out how to correctly create this as the only way the p12 compiles is by dropping the -chain command but that creates ssl verifications warnings in Firefox web browsers. openssl req -verify -in www.example.com.csr -key www.example.com.key verify OK -BEGIN CERTIFICATE REQUEST- CERTIFICATE DATA HERE -END CERTIFICATE REQUEST- On Sat, Apr 23, 2011 at 4:41 PM, James Chase chase1...@gmail.com wrote: I am using the same system -- I have tried with last years chain file as well. The only thing that would be different to my knowledge are possibly the version of openssl and the renewed crt file if it possibly requires new CA's (I did use their most current certificates before I tried using my old cafile). openssl verify never returns, I'm not sure what the syntax I am shooting for there is. When i try without using the -chain command then it compiles the p12 and it does seem to load in Chrome and IE ,but in FF3 I get: secure.example.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer) And in FF4 I get: store.innertraditions.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer) I have always used the -chain and -CAfile options together when creating p12's. On Sat, Apr 23, 2011 at 12:32 PM, Crypto Sal crypto@gmail.comwrote: On 04/21/2011 06:51 PM, James Chase wrote: I have done this multiple years in a row with the exact same process but now I get the following error when I try to create my SSL: openssl pkcs12 -export -chain -CAfile cachain.crt -out my.domain.com.p12 -inkey my.domain.com.key -in MY.DOMAIN.COM.crt Error unable to get local issuer certificate getting chain. I concatenated all the intermediate files in the order they suggest, and according to the process I have documented that has worked the past few years. I also downloaded the pre-built chain file where they already concatenated the needed files together but I get the same error. I also tried the same chain file I used last year -- same results. Googling is not helping me understand this error. Anyone know what could be going on here with the EV SSL creation for Network Solutions? -- Beware of all enterprises that require new clothes. -- Henry David Thoreau James, You don't need to include the -chain' option since you are providing the chain with the '-CAfile' option. '-chain' is if you want OpenSSL to build the chain for you. --Crypto.Sal -- Beware of all enterprises that require new clothes. -- Henry David Thoreau -- Beware of all enterprises that require new clothes. -- Henry David Thoreau -- Beware of all enterprises that require new clothes. -- Henry David Thoreau
RE: issue with p12 creation and network solutions EV SSL
From: owner-openssl-us...@openssl.org On Behalf Of James Chase Sent: Monday, 25 April, 2011 11:02 I did run the verification, and didn't have an issue there. Still am not able to figure out how to correctly create this as the only way the p12 compiles is by dropping the -chain command but that creates ssl verifications warnings in Firefox web browsers. openssl req -verify -in www.example.com.csr -key www.example.com.key Verifying the request is irrelevant. Verify the *cert* you are putting in the p12 against the (remaining) chain you are putting in the p12. If that succeeds, the p12 should work also. If it fails, it should give more specific error information. openssl verify -CAfile chain.crt my.cert.crt IF you have installed some 'common' or 'standard' CAs in your system's default truststore -- or if you're using a packaged build that does so for you -- turn that off to make sure it doesn't silently 'fill in' certs for you, something like: openssl verify -CAfile chain.crt -CApath /dev/null my.cert.crt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: issue with p12 creation and network solutions EV SSL
openssl verify -CAfile chain.crt my.cert.crt IF you have installed some 'common' or 'standard' CAs in your system's default truststore -- or if you're using a packaged build that does so for you -- turn that off to make sure it doesn't silently 'fill in' certs for you, something like: openssl verify -CAfile chain.crt -CApath /dev/null my.cert.crt Thanks, that make sense. However the output is basically the same as the original error when I was using the -chain command. error 20 at 0 depth lookup:unable to get local issuer certificate I spent a long time on the phone with Network Solutions today and they claim up and down the river that it is not their problem. However when I generate a p12 file with the chain files they supplied and last years certificate, it works fine. When I create a p12 with the same chain files and options but use this years certificate -- doesn't work. OR using the verify comparison, last years crt w/ this years chain file: ../p12/www.example.com.crt: OK versus the above error ouput The only way they will give any feedback is at $60/half hour. Nice support team. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Beware of all enterprises that require new clothes. -- Henry David Thoreau
Re: issue with p12 creation and network solutions EV SSL
I have done this multiple years in a row with the exact same process but now I get the following error when I try to create my SSL: openssl pkcs12 -export -chain -CAfile cachain.crt -out my.domain.com.p12 -inkey my.domain.com.key -in MY.DOMAIN.COM.crt Error unable to get local issuer certificate getting chain. I just tried requesting a new certificate with a new CSR and re-downloaded all the files but still have the same results. Can someone offer any advice? I'm at a total loss here. The only way I can get the p12 created is by not including the chain, but then the SSL is worthless -- Beware of all enterprises that require new clothes. -- Henry David Thoreau -- Beware of all enterprises that require new clothes. -- Henry David Thoreau
Re: issue with p12 creation and network solutions EV SSL
On Sat April 23 2011, James Chase wrote: I have done this multiple years in a row with the exact same process but now I get the following error when I try to create my SSL: Has worked for years and now it fails? OK, what changed? From: http://www.openssl.org/docs/apps/pkcs12.html -chain If this option is present then an attempt is made to include the entire certificate chain of the user certificate. The standard CA store is used for this search. If the search fails it is considered a fatal error. Any changes made in your standard CA store or its contents since the last time your command worked? I.E: Your process has remainned the same but have the supporting materials remainned the same on your system? Are you even using the same system now? Has something expired during the time lapse since it last worked? Mike openssl pkcs12 -export -chain -CAfile cachain.crt -out my.domain.com.p12 -inkey my.domain.com.key -in MY.DOMAIN.COM.crt Error unable to get local issuer certificate getting chain. I just tried requesting a new certificate with a new CSR and re-downloaded all the files but still have the same results. Can someone offer any advice? I'm at a total loss here. The only way I can get the p12 created is by not including the chain, but then the SSL is worthless -- Beware of all enterprises that require new clothes. -- Henry David Thoreau __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: issue with p12 creation and network solutions EV SSL
Hi James, Can you try openssl verify command? If this fails, then there must be wrong with your setup - re On Sat, Apr 23, 2011 at 8:45 PM, James Chase chase1...@gmail.com wrote: I have done this multiple years in a row with the exact same process but now I get the following error when I try to create my SSL: openssl pkcs12 -export -chain -CAfile cachain.crt -out my.domain.com.p12 -inkey my.domain.com.key -in MY.DOMAIN.COM.crt Error unable to get local issuer certificate getting chain. I just tried requesting a new certificate with a new CSR and re-downloaded all the files but still have the same results. Can someone offer any advice? I'm at a total loss here. The only way I can get the p12 created is by not including the chain, but then the SSL is worthless -- Beware of all enterprises that require new clothes. -- Henry David Thoreau -- Beware of all enterprises that require new clothes. -- Henry David Thoreau
Re: issue with p12 creation and network solutions EV SSL
On 04/21/2011 06:51 PM, James Chase wrote: I have done this multiple years in a row with the exact same process but now I get the following error when I try to create my SSL: openssl pkcs12 -export -chain -CAfile cachain.crt -out my.domain.com.p12 -inkey my.domain.com.key -in MY.DOMAIN.COM.crt Error unable to get local issuer certificate getting chain. I concatenated all the intermediate files in the order they suggest, and according to the process I have documented that has worked the past few years. I also downloaded the pre-built chain file where they already concatenated the needed files together but I get the same error. I also tried the same chain file I used last year -- same results. Googling is not helping me understand this error. Anyone know what could be going on here with the EV SSL creation for Network Solutions? -- Beware of all enterprises that require new clothes. -- Henry David Thoreau James, You don't need to include the -chain' option since you are providing the chain with the '-CAfile' option. '-chain' is if you want OpenSSL to build the chain for you. --Crypto.Sal
Re: issue with p12 creation and network solutions EV SSL
I am using the same system -- I have tried with last years chain file as well. The only thing that would be different to my knowledge are possibly the version of openssl and the renewed crt file if it possibly requires new CA's (I did use their most current certificates before I tried using my old cafile). openssl verify never returns, I'm not sure what the syntax I am shooting for there is. When i try without using the -chain command then it compiles the p12 and it does seem to load in Chrome and IE ,but in FF3 I get: secure.example.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer) And in FF4 I get: store.innertraditions.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer) I have always used the -chain and -CAfile options together when creating p12's. On Sat, Apr 23, 2011 at 12:32 PM, Crypto Sal crypto@gmail.com wrote: On 04/21/2011 06:51 PM, James Chase wrote: I have done this multiple years in a row with the exact same process but now I get the following error when I try to create my SSL: openssl pkcs12 -export -chain -CAfile cachain.crt -out my.domain.com.p12 -inkey my.domain.com.key -in MY.DOMAIN.COM.crt Error unable to get local issuer certificate getting chain. I concatenated all the intermediate files in the order they suggest, and according to the process I have documented that has worked the past few years. I also downloaded the pre-built chain file where they already concatenated the needed files together but I get the same error. I also tried the same chain file I used last year -- same results. Googling is not helping me understand this error. Anyone know what could be going on here with the EV SSL creation for Network Solutions? -- Beware of all enterprises that require new clothes. -- Henry David Thoreau James, You don't need to include the -chain' option since you are providing the chain with the '-CAfile' option. '-chain' is if you want OpenSSL to build the chain for you. --Crypto.Sal -- Beware of all enterprises that require new clothes. -- Henry David Thoreau
issue with p12 creation and network solutions EV SSL
I have done this multiple years in a row with the exact same process but now I get the following error when I try to create my SSL: openssl pkcs12 -export -chain -CAfile cachain.crt -out my.domain.com.p12 -inkey my.domain.com.key -in MY.DOMAIN.COM.crt Error unable to get local issuer certificate getting chain. I concatenated all the intermediate files in the order they suggest, and according to the process I have documented that has worked the past few years. I also downloaded the pre-built chain file where they already concatenated the needed files together but I get the same error. I also tried the same chain file I used last year -- same results. Googling is not helping me understand this error. Anyone know what could be going on here with the EV SSL creation for Network Solutions? -- Beware of all enterprises that require new clothes. -- Henry David Thoreau