On Thu, Feb 24, 2011 at 11:35 AM, Lars Schiller <[email protected]> wrote: > Am 23.02.2011 00:05, schrieb George Niculae: >> On Wed, Feb 23, 2011 at 12:56 AM, Mircea Carasel<[email protected]> wrote: >>>> Thank you in advance for your help. Attached you will find the generated >>>> certificates and the sniffed traffic on the configured TLS port. Maybe >>>> there >>>> is a simple but effective mistake. >>> Lars, >>> >>> Thank you for the certificates archive >>> >>> We are using "openssl verify" command to check if a certificate is OK or not >>> before importing it >>> I found two certificates there >>> servercert.pem is not valid >>> but cacert.pem looks like valid but still has a problem >>> Here are my results: >>> >>> [mirceac@decebal lars]$ openssl verify servercert.pem >>> servercert.pem: C = DE, ST = NDS, O = Teamprojekt, CN = >>> sipx.teamprojekt.local, emailAddress = [email protected] >>> error 20 at 0 depth lookup:unable to get local issuer certificate >>> >>> [mirceac@decebal lars]$ openssl verify cacert.pem >>> cacert.pem: C = DE, ST = NDS, L = Wolfenbuettel, O = Teamprojekt, CN = >>> sipx.teamprojekt.local, emailAddress = [email protected] >>> error 18 at 0 depth lookup:self signed certificate >>> OK >> Looks like your cert need to be signed by a CA... >> >> George > > Maybe I misunterstood something in the way self signed certificates are > creted. The certificates from the archive were made with the following > commands: > > My own CA: > openssl req -new -x509 -newkey rsa:1024 -keyout cakey.pem -out > cacert.pem -days 3650 > > The key file for the server: > openssl genrsa -out serverkey.pem -aes128 1024 -days 3650 > > Removing the pass phrase: > openssl rsa -in serverkey.pem -out serverkey.pem > > Certificate signing request for the server: > openssl req -new -key serverkey.pem -out req.pem -nodes > > Signing the CSR: > openssl ca -in req.pem -notext -out servercert.pem > > I would be very grateful if somebody could help me finding my error in > reasoning. >
This is the error you hit: http://gagravarr.org/writing/openssl-certs/errors.shtml IMO it looks like your own CA is not installed in openssl as a trusted CA: you can follow this http://gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl or have your certificate signed by a known authority. George _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev/
