Hello,
just in case you want to check a webserver installation (which is not
explicitly mentioned in Viktor's answer) I want to add this...
In this case (IMHO) the s_client tool of openssl can do what you need. Try
openssl s_client -connect yourhost.example.org:443 -CAfile
On Tue, Jan 05, 2021 at 01:43:12PM +0100, Yassine Chaouche wrote:
> How do I detect this error with openssl tools ? are there
> tools that print issuer and subject of each certificate in
> a chain ?
If, by chain, you mean a PEM file with one or more X509 certificates,
then yes. Suppose the file
Dear list,
I would like to learn how to use openssl tools to make sure
a chained certificate is valid ?
example :
Let's say I got the Cert certificate signed by Intermdiate
X, but by making the full chain certificate I inadvertly
inserted Intermediate Y instead of X. The (broken)
certificate
The same question in much more specific terms:
int VerifyCallback(X509_STORE_CTX *store_ctx, void *arg)
Is the certificate stored in store_ctx the *new* one that the peer sends
in case of *renegotiation*?
Is the certificate stored in the SSL struct (obtained via
SSL_get_peer_certificate())
I don't specifically know the behavior of the code, so I have no means of
answering your question directly.
That said, it would certainly work if you stored a copy of the certificate
during your VerifyCallback(), and compared with the version you copied out
yourself. You might wish to balance
Hello list,
I'm using SSL_CTX_set_cert_verify_callback(empty_callback) to bypass all
certificate chain walking and validation. I extract and validate the RSA
key *after* handshake and verify only that.
However I believe this callback can be called arbitrary times after
initial handshake, in
On Fri, 15 Nov 2013, Dr. Stephen Henson wrote:
On Fri, Nov 15, 2013, Dimitrios Apostolou wrote:
On Fri, 15 Nov 2013, Dr. Stephen Henson wrote:
If the certificate contains no useful information then why check it at all
other than to make sure it carries the correct public key?
I was not
Hello,
some time now I'm having problems with X509_verify() from
openssl-1.0.0-27.el6_4.2.i686 shipped with latest RHEL 6. The problem is
that a self-signed certificate that I generate and verify on the server
side, fails to verify on the client side after the TLS handshake.
Since this
On Thu, Nov 14, 2013, Dimitrios Apostolou wrote:
some time now I'm having problems with X509_verify() from
openssl-1.0.0-27.el6_4.2.i686 shipped with latest RHEL 6. The
problem is that a self-signed certificate that I generate and verify
on the server side, fails to verify on the client side
On Thu, 14 Nov 2013, Dr. Stephen Henson wrote:
On Thu, Nov 14, 2013, Dimitrios Apostolou wrote:
+ *) Don't reencode certificate when calculating signature: cache and use
+ the original encoding instead. This makes signature verification of
+ some broken encodings work correctly.
Can
on this.
Thanks in advance.
Best Regards,
S S Rout
--
View this message in context:
http://old.nabble.com/Verify-intermediate-certificate-tp33129488p33479981.html
Sent from the OpenSSL - User mailing list archive at Nabble.com
-Original Message-
From: Steffen DETTMER
* Johannes Bauer wrote on Fri, Jan 13, 2012 at 14:22 +0100:
[...]
Or, in other words: Let's assume I have a ultimate root
(self-signed) Root and a branched CA X. I would like to
trust X and all it's children, but not Root. Is this
On Mon, Jan 16, 2012, Eisenacher, Patrick wrote:
-Original Message-
From: Steffen DETTMER
* Johannes Bauer wrote on Fri, Jan 13, 2012 at 14:22 +0100:
[...]
Or, in other words: Let's assume I have a ultimate root
(self-signed) Root and a branched CA X. I would like to
On 2012-01-13 15:38 +0100 (Fri), Johannes Bauer wrote:
Ah, good, then I explained it well enough :-) Do you have a solution for
your scenario? Do you manually check certificates? Or is there some
workaround?
I described my situation in a little more detail in this message:
On 12.01.2012 19:05, Kenneth Goldman wrote:
I have a question regarding the verify method of OpenSSL: If I have a
certificate chain
Root - A - B - Leaf
where Leaf is the certificate of a webserver (https) and Root is a
self-signed certificate.
In this scenario, is it valid for the
On 12.01.2012 19:23, Michael S. Zick wrote:
On Thu January 12 2012, Johannes Bauer wrote:
Hello group,
I have a question regarding the verify method of OpenSSL: If I have a
certificate chain
Root - A - B - Leaf
where Leaf is the certificate of a webserver (https) and Root is a
On 13.01.2012 01:02, Dave Thompson wrote:
The verify fails. Why is that? The immediate signature is valid, does
the verify command expect to always terminate at a self-signed
certificate?
Yes. Or rather the libcrypto routine X509_verify_cert, used by the
'verify' utility and also the SSL
On 13.01.2012 10:15, Curt Sampson wrote:
On 2012-01-13 09:54 +0100 (Fri), Johannes Bauer wrote:
Let's say I have some ultimate root A which has issued a sub-CA B
for me. I use B to create, for example, a certificate for my webserver
D.
Now I have clients which should only connect to
* Johannes Bauer wrote on Fri, Jan 13, 2012 at 14:22 +0100:
[...]
Or, in other words: Let's assume I have a ultimate root
(self-signed) Root and a branched CA X. I would like to
trust X and all it's children, but not Root. Is this
not possible?
[yes, it is not possible by default]
Hello group,
I have a question regarding the verify method of OpenSSL: If I have a
certificate chain
Root - A - B - Leaf
where Leaf is the certificate of a webserver (https) and Root is a
self-signed certificate.
In this scenario, is it valid for the webserver to provide only A/B/Leaf
and omit
On Thu January 12 2012, Johannes Bauer wrote:
Hello group,
I have a question regarding the verify method of OpenSSL: If I have a
certificate chain
Root - A - B - Leaf
where Leaf is the certificate of a webserver (https) and Root is a
self-signed certificate.
In this scenario, is it
From: owner-openssl-us...@openssl.org On Behalf Of Michael S. Zick
Sent: Thursday, 12 January, 2012 13:24
On Thu January 12 2012, Johannes Bauer wrote:
Hello group,
I have a question regarding the verify method of OpenSSL: If I have a
certificate chain: Root - A - B - Leaf [...]
is
On 10/22/2011 4:52 AM, Lucas Clemente Vella wrote:
2011/10/21 Jakob Bohmjb-open...@wisemo.com:
According to the Digicert CPS
http://www.digicert.com/docs/cps/DigiCert_EV-CPS.pdf,
that DigiCert root is cross-certified by the Entrust root. Some trusted
certificate bundles include only the
According to the Digicert CPS
http://www.digicert.com/docs/cps/DigiCert_EV-CPS.pdf,
that DigiCert root is cross-certified by the Entrust root. Some trusted
certificate bundles include only the Entrust root CA and will need the
Entrust-signed cross intermediary certificate to validate, other
2011/10/21 Jakob Bohm jb-open...@wisemo.com:
According to the Digicert CPS
http://www.digicert.com/docs/cps/DigiCert_EV-CPS.pdf,
that DigiCert root is cross-certified by the Entrust root. Some trusted
certificate bundles include only the Entrust root CA and will need the
Entrust-signed cross
I am out of the office on vacation until Tuesday 25th October.
For urgent issues please contact Markus Flierl or Steven De Tar.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
I am out of the office on vacation until Tuesday 25th October.
For urgent issues please contact Markus Flierl or Steven De Tar.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
From: owner-openssl-us...@openssl.org On Behalf Of Lucas Clemente Vella
Sent: Wednesday, 19 October, 2011 22:44
snip: connect to graph.facebook.com:443 using
cafile=DigiCertHighAssuranceEVRootCA.crt gets rc=20
Then I found this directory in my system, /etc/ssl/certs, containing
my installed
2011/10/9 Lucas Clemente Vella lve...@gmail.com:
First of all, I am not a direct user of the OpenSSL library, but I am
using it via Python 2.7 built-in module ssl, which in turn uses
OpenSSL. Since my problem is SSL specific, I thought people here would
be more apt to help me.
Now I wrote the
to the
external server graph.facebook.com. It is plain in the Pyhton urllib2
module documentation that, while it will happily establish an HTTPS
connection, it will not verify the server's certificate. So I was
trying to use the ssl module to get the servers certificate verified.
The problem
On 07/19/2011 08:20 AM, Mailing List SVR wrote:
Hi,
I need to verify the attached certificate (cert.bin) and read the asn1
info stored in it. I'm using the following commands:
openssl smime -verify -in cert.pem -inform pem -CAfile signer.pem
cert.data
and then:
openssl asn1parse -inform
Thanks my question was already answered my original certificate was not
rfc compliant and so openssl fails to verify it,
thanks anyway
Nicola
Il 25/07/2011 17:22, lists ha scritto:
On 07/19/2011 08:20 AM, Mailing List SVR wrote:
Hi,
I need to verify the attached certificate (cert.bin
Hi,
I need to verify the attached certificate (cert.bin) and read the asn1
info stored in it. I'm using the following commands:
openssl smime -verify -in cert.pem -inform pem -CAfile signer.pem
cert.data
and then:
openssl asn1parse -inform DER -in cert.data
now if the signer give me
Hi,
I need to verify the attached certificate (cert.bin) and read the asn1
info stored in it. I'm using the following commands:
openssl smime -verify -in cert.pem -inform pem -CAfile signer.pem
cert.data
and then:
openssl asn1parse -inform DER -in cert.data
now if the signer give me
Thank You for your help!
I understand now, that the client would not be able to offer a certificate
unless it owns the corresponding private key.
So it is enough to check that the certificate offered (or its fingerprint),
matches the certificate (resp. finger print) send to the server on a secure
On Sat, Sep 26, 2009 at 03:49:34PM +0200, Michael Prinzinger wrote:
Once I will have a first working prototype of the protocol, you will be able
to check it our here:
http://code.google.com/p/phantom/
Thanks for the offer, but I try avoid using security software written
by implementers new to
Dear Victor,
thanks for your help.
The problem is that I need to understand OpenSSL and its mechanisms and
possibilities in order to find a way to implement the design of the
protocol.
It would be nice if you could help a little bit further still, but I will
understand if you should choose not
On Fri September 25 2009, Michael Prinzinger wrote:
Dear Victor,
thanks for your help.
The problem is that I need to understand OpenSSL and its mechanisms and
possibilities in order to find a way to implement the design of the
protocol.
It would be nice if you could help a little bit
On Fri, Sep 25, 2009 at 01:49:25PM +0200, Michael Prinzinger wrote:
Dear Victor,
thanks for your help.
The problem is that I need to understand OpenSSL and its mechanisms and
No you need to understand SSL/TLS in general, and how to make use of
SSL in your protocol. The OpenSSL part will be
Michael Prinzinger:
I wrote a customized check certificate method, that simply compares
the certificate the client offered during the connection build up, to
the certificate we know it should be using. This works fine.
That works so long as you already know the certificate the client should
* Victor Duchovni wrote on Wed, Sep 23, 2009 at 16:18 -0400:
On Wed, Sep 23, 2009 at 10:04:48PM +0200, Michael Prinzinger wrote:
I have a somewhat curious setting (without CAs) about [...]
//check certificate
This only verifies the server's *trust chain*, but not its
identity.
On Thu, Sep 24, 2009 at 12:00:05AM +0200, Michael Prinzinger wrote:
Certificates are useless without corresponding signed messages. What
messages are signed by the private key of the previous node, that the
current node can forward to the next?
I only want to verify that the previous
authorities withtin the context of this
protocol,
I can only directly verify a certificate, resp. some message signed with the
corresponding private key.
If you want something else, you must explain it in a lot more detail.
Note, your problem is understanding the crypto protocol design
) with the peer certificate (public
key fingerprint) from the SSL session.
Since there are no central trust authorities withtin the context of this
protocol, I can only directly verify a certificate, resp. some message
signed with the corresponding private key.
Verify is the wrong term here. It suggests
and decrypt the payload, you compare the enclosed peer
certificate (public key fingerprint) with the peer certificate (public
key fingerprint) from the SSL session.
Since there are no central trust authorities withtin the context of this
protocol, I can only directly verify a certificate, resp
peer
certificate (public key fingerprint) with the peer certificate (public
key fingerprint) from the SSL session.
Since there are no central trust authorities withtin the context of this
protocol, I can only directly verify a certificate, resp. some message
signed with the corresponding
Dear OpenSSL group,
I have a somewhat curious setting (without CAs) about routing information
along several nodes:
[1] first an unkown client establishes a connection to a known server
thus I set
SSL_CTX_set_verify(this-ctx, SSL_VERIFY_NONE, NULL);
and let the client verify the servers
On Wed, Sep 23, 2009 at 10:04:48PM +0200, Michael Prinzinger wrote:
and let the client verify the servers certificate, like this
X509* x509 = SSL_get_peer_certificate(s);
CHECK(x509 != NULL);
//check certificate
long certVerifyResults = SSL_get_verify_result(s
I set the following for the global context which is used to create the
connection:
// Set the SSL certificate verify mode
SSL_CTX_set_verify(_globalContext, SSL_VERIFY_PEER, NULL);
Then the server requests the peer (i.e. the client) for a certificate during
the handshake, which
information unrelated to openssl).
When establishing a connection to the next node, the current node can thus
verify the certificate of the next node.
However, now that the current node also got to know the previous node's
certificate in a secure way, it can also verify the previous node's
certificate
Thank You Ashish for your answer!
On Wed, Sep 23, 2009 at 10:30 PM, Ashish Thapliyal
ashish.thapli...@citrix.com wrote:
I set the following for the global context which is used to create the
connection:
// Set the SSL certificate verify mode
SSL_CTX_set_verify
, the current node can thus
verify the certificate of the next node.
Sure.
However, now that the current node also got to know the previous node's
certificate in a secure way, it can also verify the previous node's
certificate.
This makes no sense. What message associated with the previous
Dear Victor,
On Wed, Sep 23, 2009 at 11:33 PM, Victor Duchovni
victor.ducho...@morganstanley.com wrote:
On Wed, Sep 23, 2009 at 10:43:11PM +0200, Michael Prinzinger wrote:
Certificates are useless without corresponding signed messages. What
messages are signed by the private key of the
this helps.
Ashish.
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Michael Prinzinger
Sent: Wednesday, September 23, 2009 2:02 PM
To: openssl-users@openssl.org
Subject: Re: verify client certificate at a later point
Thank You Ashish for your answer!
On Wed
Dear All;
Thank you all of you for your support. When I called
SSL_CTX_load_verify_locations() and SSL_CTX_set_verify() to verify the peer
certificate but I got fetal error unkown certificate authority. Please let
me know what is reason behind it. But I have CA certificate, client
Dear All,
I have self signed root certificate I want to verify the peer certificate.
Please tell me how to verifying. What API I need to call.
Thank you.
Regards,
--Ajeet Kumar Singh
PROTECTED]
To: openssl-users@openssl.org
Sent: Saturday, August 2, 2008 5:16:10 PM
Subject: Re: Verify x509 certificate
Solved !
I forgot to call SSLeay_add_all_algorithms();
... a summer youthful folly :-)
Flt
Il giorno sab, 02/08/2008 alle 11.43 +0200, .:: Francesco la Torre ::.
ha
The verify(1ssl) man page has descriptions of these error codes. 7 is
X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure,
which is described as: the signature of the certificate is invalid.
I would presume that this is because the signature cannot be verified
with the public key
to
verify the certificate from command line
openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem
The output is :
cert.pem: OK
so both certificates are valid.
Regards,
Flt
-Kyle H
On Fri, Aug 1, 2008 at 5:15 PM, .:: Francesco la Torre ::.
[EMAIL PROTECTED] wrote:
On sab, 2008
., the
data in one of the certificates has been modified since it was signed
(and thus, the signature has been invalidated).
You're true, but I used the stange abjective because if I try to
verify the certificate from command line
openssl verify -CAfile /home/frank/test/test-CA/calist.pem
, August 2, 2008 5:16:10 PM
Subject: Re: Verify x509 certificate
Solved !
I forgot to call SSLeay_add_all_algorithms();
... a summer youthful folly :-)
Flt
Il giorno sab, 02/08/2008 alle 11.43 +0200, .:: Francesco la Torre ::.
ha scritto:
On sab, 2008-08-02 at 02:04 -0700, Kyle Hamilton wrote
Dear all,
I'm new in openssl api and I'm trying to write e simple application to
verify an x509 certificate but I'm facing with some strange problem.
Here there is a snapshot of my code to use to replicate my scenario :
#includestdio.h
#includestdlib.h
#includestring.h
#include openssl/pem.h
Any help from someone ?
:-)
Flt
Il giorno mer, 30/07/2008 alle 23.57 +0200, Francesco la Torre ha
scritto:
Dear all,
I'm new in openssl api and I'm trying to write e simple application to
verify an x509 certificate but I'm facing with some strange problem.
Here there is a snapshot of my
, August 1, 2008 8:02:44 PM
Subject: Re: Verify x509 certificate
Any help from someone ?
:-)
Flt
Il giorno mer, 30/07/2008 alle 23.57 +0200, Francesco la Torre ha
scritto:
Dear all,
I'm new in openssl api and I'm trying to write e simple application to
verify an x509 certificate but I'm facing
]
To: openssl-users@openssl.org
Sent: Friday, August 1, 2008 8:02:44 PM
Subject: Re: Verify x509 certificate
Any help from someone ?
:-)
Flt
Il giorno mer, 30/07/2008 alle 23.57 +0200, Francesco la Torre ha
scritto:
Dear all,
I'm new in openssl api and I'm trying to write e simple
Sent: Friday, August 1, 2008 8:02:44 PM
Subject: Re: Verify x509 certificate
Any help from someone ?
:-)
Flt
Il giorno mer, 30/07/2008 alle 23.57 +0200, Francesco la Torre ha
scritto:
Dear all,
I'm new in openssl api and I'm trying to write e simple application
On sab, 2008-08-02 at 00:21 +0200, .:: Francesco la Torre ::. wrote:
self reply :-)
I've added a callback function like this
static int cb(int ok, X509_STORE_CTX *ctx){
char buf[256];
X509_NAME_oneline(
X509_get_subject_name(ctx-current_cert),buf,256);
Hi Goetz,
Thx again for your help, I finally found what was going wrong with my code.
I was setting a flag to force CRL verification but I did not have a CRL
stored for the CA.
Now everything is running well.
Thx again for your help.
Regards !
--
Florian Manach
NUMLOG
[EMAIL PROTECTED]
Hi Goetz,
I saw that it needs PEM format... but even if I convert the certs in
PEM, links are created but my app still returns an error on verification.
Thx again for your help.
--
Florian Manach
NUMLOG
[EMAIL PROTECTED]
(+33)0130791616
Goetz Babin-Ebell a écrit :
Hello Florian,
--On
Hello Florian,
--On Montag, Juli 09, 2007 09:25:01 +0200 Florian MANACH [EMAIL PROTECTED]
wrote:
I saw that it needs PEM format... but even if I convert the certs in PEM,
links are created but my app still returns an error on verification.
Hm.
Try to store roots, intermediate certs and
OK I see but It's always not working after
c_rehash ./root
c_rehash ./certs
c_rehash ./crls
--
Florian Manach
NUMLOG
[EMAIL PROTECTED]
(+33)0130791616
Goetz Babin-Ebell a écrit :
Hello Florian,
--On Donnerstag, Juli 05, 2007 17:59:01 +0200 Florian MANACH
[EMAIL PROTECTED] wrote:
No, I
Hello Florian,
--On Freitag, Juli 06, 2007 09:14:41 +0200 Florian MANACH [EMAIL PROTECTED]
wrote:
OK I see but It's always not working after
c_rehash ./root
c_rehash ./certs
c_rehash ./crls
Oups:
--On Donnerstag, Juli 05, 2007 14:55:59 +0200 Florian MANACH [EMAIL PROTECTED]
wrote:
Hi,
I'm trying to devellop an app which should be able to verify if a
certificate might be trusted.
I have a directory where I store CA root certificates. I want my app to
check if a certificate is signed by the mentioned CA on the ISSUER
field. In order to do this, it might look
--On Donnerstag, Juli 05, 2007 14:55:59 +0200 Florian MANACH [EMAIL PROTECTED]
wrote:
I have a directory where I store CA root certificates. I want my app to
check if a certificate is signed by the mentioned CA on the ISSUER field.
In order to do this, it might look on this directory and
No, I didn't even know that function.
What does it do ?
--
Florian Manach
NUMLOG
[EMAIL PROTECTED]
(+33)0130791616
Goetz Babin-Ebell a écrit :
--On Donnerstag, Juli 05, 2007 14:55:59 +0200 Florian MANACH
[EMAIL PROTECTED] wrote:
I have a directory where I store CA root certificates. I
Hello Florian,
--On Donnerstag, Juli 05, 2007 17:59:01 +0200 Florian MANACH [EMAIL PROTECTED]
wrote:
No, I didn't even know that function.
What does it do ?
It loads all certificate files (and CRL files) in the directory
and generates a short 4 byte hash from the common name of the cert.
Hi all,
I have a bit strange Q: i've created a self-signed certificate (first i
created a CA (root certificate) then created another certificate from it
like that [http://www.tc.umn.edu/~brams006/selfsign.html]). but i can't find
how will i verify that if the second certificate made from the
Try this:
openssl x509 -in filename.pem -text -noout
You should see an issuer: statement that talks about the CA.
\\Greg
Jamie F. wrote:
Hi all,
I have a bit strange Q: i've created a self-signed certificate (first
i created a CA (root certificate) then created another certificate
from it
On Sat, Mar 17, 2007 at 05:08:06PM -0400, Greg Martin wrote:
Try this:
openssl x509 -in filename.pem -text -noout
You should see an issuer: statement that talks about the CA.
Rather depends on what the OP meant by verify, and what context
this is to be performed.
--
Viktor.
Hello,
I have a secure connection with a buffered BIO, and after the connection
is established, I want to verify (on th eClient) the Servers
certificate with a Root-CA.
How can I do this with openssl?
thanks in advance
Markus
Hello,
I have a secure connection with a buffered BIO, and after the connection
is established, I want to verify (on th eClient) the Servers
certificate with a Root-CA.
How can I do this with openssl?
With functions like:
cert = SSL_get_peer_certificate(ssl);
On Mon, Feb 12, 2007, Marek Marcola wrote:
Hello,
I have a secure connection with a buffered BIO, and after the connection
is established, I want to verify (on th eClient) the Servers
certificate with a Root-CA.
How can I do this with openssl?
With functions like:
cert =
Hi,
how can I verify multiple single DER-encoded certificates which I
recieve from a gateway and which represent a cert-chain alltogether.
I think this should be done like this (PseudoCode):
foreach (cert from chain)
check, if it was signed by the CA of the previous cert
Check if one of the
Andreas Hoffmann wrote:
Hi,
how can I verify multiple single DER-encoded certificates which I
recieve from a gateway and which represent a cert-chain alltogether.
I think this should be done like this (PseudoCode):
foreach (cert from chain)
check, if it was signed by the CA of the
HI all,
Please find the files rsa512.txt, ca.txt and self.txt attached.
rsa512.txt is the private key,
ca.txt is a CA certifciate from Entrust (Demonstration CA certificate)
self.txt is the self-certificate that Entrust has issued.
When Iam trying to use x509_verify_cert() function to verify
i can verify a certificate against a root certificate, with
openssl verify -CAfile root.ca rsacert.pem
but how do i know that the certificate i try to verify has not been
revoked?
JonB
__
OpenSSL Project
, September 21, 2004 9:39 AM
To: [EMAIL PROTECTED]
Subject: how do i use a CRL file to verify a certificate against?
i can verify a certificate against a root certificate, with
openssl verify -CAfile root.ca rsacert.pem
but how do i know that the certificate i try to verify has not been
revoked
Den 21. sep 2004, kl. 15:43, skrev Lee Baydush:
You can't tell if it has been revoked. That's why they are 'trusted
roots'. If you think your root ca has been compromised, that is when
you usually hit the big red panic button and shut down the shop.
no no, it's not the root ca that has been
Jon Bendtsen wrote:
i can verify a certificate against a root certificate, with
openssl verify -CAfile root.ca rsacert.pem
but how do i know that the certificate i try to verify has not been
revoked?
At the risk of seeming to oversimply a VERY complicated issue:
1. You have been downloading
that, or you can examine some of the samples that
call routines like X509_verify_cert().
-Original Message-
From: Jon Bendtsen [mailto:[EMAIL PROTECTED]
Sent: Tuesday, September 21, 2004 9:50 AM
To: [EMAIL PROTECTED]
Subject: Re: how do i use a CRL file to verify a certificate against?
Den 21
to verify
a certificate against?
ok. You get the CDP from the certificate, load
the CRL from the CDP, verify the CRL against the root cert. to verify that
the signature matches, it has not expired, etc. , then see if the cert's
number is in the CRL. Check out the book 'OpenSSL' by O'Reilly. It
walks
enough information to verify this certificate
When we view a certificate issued by some CA, windows
may tell us this:
Windows does not have enough information to verify
this certificate.
What does this mean? Does it mean that I have not
installed the CA cert as a trusted root CA
When we view a certificate issued by some CA, windows
may tell us this:
Windows does not have enough information to verify
this certificate.
What does this mean? Does it mean that I have not
installed the CA cert as a trusted root CA?
__
Do you
Whacker [mailto:levitte;stacken.kth.se]
Sent: Thursday, November 14, 2002 3:20 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: help needed! error trying to verify a certificate
In message [EMAIL PROTECTED] on
Wed, 13 Nov 2002 16:10:07 -0600, Mitchel, Jennifer (Jem) [EMAIL PROTECTED] said
Mitchel, Jennifer (Jem) wrote:
I have generated my key pair. I have generated my certificate
signing request sent it to my CA and gotten my certificate back...
I named it server.crt
I am trying to use ssl to verify the certificate. I have the key pair,
csr server.crt all in install/bin so
Title: Verify Client Certificate Error
Hello all,
I installed a apache+mod_ssl+openSSL server, but it can't verify my client certificate.
The server log is
[01/Aug/2002 15:29:21 27838] [trace] Certificate Verification: depth: 1, subject
: /CN=ChinaPay Publish System, issuer: /C=CN/CN
}
printf("verify return:%d\n",ok);
return(ok);
}
but I got these message:
verify error:num=20:unable to get local issuer certificate
verify error:num=27:certificate not trusted
verify error:num=21:u
On Tue, Sep 05, 2000 at 02:35:05PM -0400, [EMAIL PROTECTED] wrote:
but I got these message:
verify error:num=20:unable to get local issuer certificate
verify error:num=27:certificate not trusted
verify error:num=21:unable to verify the first certificate
How can I verify the client
On Tue, Sep 05, 2000 at 04:28:26PM -0400, [EMAIL PROTECTED] wrote:
thanks a lot.
but how to sends the certificate of the CA that issued the client
certificate together with the client certificate.
and I allready used the SSL_CTX_use_certificate_chain_file(ctx,CERTF);
I used the s_client
I'm curious: the SSL server code (s3_srvr.c, line 1677) sets an error of "no
certificate returned" when the client's certificate fails verification. Why
use this (rather misleading) error message? The equivalent client code
(s3_clnt.c, line 764) uses the more intuitive error of &q
100 matches
Mail list logo
