Hi all.
I have a problem with a certificate chain and a server certificate, I
need help.
The certificate chain is formed by the Root CA Certificate and the
Subordinate CA Certificate below showed.
The server certificate is the last certificate.
I have configured apache with modssl and when i try to access to
https://imladris.dif.um.es I get the following error:
Apache/1.3.19 (Unix) ApacheJServ/1.1.2 mod_ssl/2.8.3 OpenSSL/0.9.6g
configured -- resuming normal operations
[Thu Sep 19 10:13:14 2002] [error] mod_ssl: SSL handshake failed (server
imladris.dif.um.es:443, client 2001:720:1710:f00::2) (OpenSSL library
error follows)
[Thu Sep 19 10:13:14 2002] [error] OpenSSL: error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN
in certificate not server name or identical to CA!?]
Obviously it's a mistake, server certificate's subject is the same
than the server name (in httpd.conf file)
and it's not a CA.
I think the problem is in the path validation, in the NameConstraints
extensions (2.5.29.30), but I'm not sure.
I don't know if openssl supports this extensins and if it's well
configured.
Any idea?
Thanks, Gabi.
** Root CA Certificate **
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=ES, O=umu, OU=umu, CN=PKIv6 3.2 ca root
Validity
Not Before: Sep 16 22:00:00 2002 GMT
Not After : Sep 16 22:00:00 2004 GMT
Subject: C=ES, O=umu, OU=umu, CN=PKIv6 3.2 ca root
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:aa:e5:b5:5b:0a:f4:ef:79:2a:4d:8e:84:e1:ce:
43:59:81:2d:b6:53:8c:97:77:4f:db:07:08:69:b0:
68:ea:1d:cd:fe:c2:a4:a2:08:ec:ce:ed:b4:13:91:
dc:da:bf:27:41:ef:f1:f3:3b:96:36:97:2f:9c:f3:
48:21:b3:a0:34:0d:8a:e8:04:cf:d5:c2:06:dd:cf:
5d:ea:7c:d5:9e:ab:92:65:7a:e1:32:ee:73:f4:4f:
99:be:18:5c:a0:84:5c:b0:09:f0:8a:68:61:1a:94:
ec:c5:95:9b:10:c4:0b:4b:e9:e0:2f:48:7b:2b:23:
56:02:56:a7:2c:16:c4:2f:0d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
Netscape Cert Type:
SSL Client, S/MIME, SSL CA, S/MIME CA, Object Signing CA
Signature Algorithm: md5WithRSAEncryption
*** Subordinate CA Certificate ***
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 28 (0x1c)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=ES, O=umu, OU=umu, CN=PKIv6 3.2 ca root
Validity
Not Before: Sep 17 11:25:36 2002 GMT
Not After : Sep 17 11:25:36 2003 GMT
Subject: C=ES, O=umu, OU=umu dd, CN=PKIv6 3.2 ca sub2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:b5:e5:36:3f:7a:29:a0:da:3a:67:60:4f:ed:52:
81:09:26:21:4d:a7:14:77:54:56:be:87:1d:5a:62:
26:89:aa:f4:00:19:e6:c5:d8:c0:68:71:0f:2b:b5:
7b:54:25:7f:98:2e:75:e6:65:76:b4:9f:39:99:2e:
56:19:b6:5e:27
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
2.5.29.30: critical
0...0...umu-euro6ix dd
X509v3 Basic Constraints: critical
CA:TRUE
Netscape Cert Type:
SSL Client, S/MIME, SSL CA, S/MIME CA, Object Signing CA
Signature Algorithm: md5WithRSAEncryption
*** Server Certificate (ServerName=imladris.dif.um.es) **
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=ES, O=umu, OU=umu dd, CN=PKIv6 3.2 ca sub2
Validity
Not Before: Sep 17 15:55:07 2002 GMT
Not After : Sep 17 15:55:07 2003 GMT
Subject: C=ES, O=umu, OU=umu dd, CN=imladris.dif.um.es
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:b6:85:42:e5:32:6f:30:5f:69:8f:c1:93:ca:a6:
19:3a:67:b7:c0:d2:12:e0:7d:c2:75:0f:4e:00:30:
16:4f:39:fb:9a:49:5d:db:18:bb:20:b4:6b:67:df:
ca:96:2f:18:1e:95:b9:56:9b:19:72:9a:2a:78:b7:
09:d9:0f:15:37
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Cert Type:
SSL Server, S/MIME, Object Signing
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Alternative Name:
email:[EMAIL PROTECTED]
Signature Algorithm: md5WithRSAEncryption
--
-------------------------------------------------
Gabriel Lopez Millan - Grupo ANTS-CIRCuS
Facultad de Informática
Universidad de Murcia (España) Tfo: +34 968367645
smime.p7s
Description: S/MIME Cryptographic Signature
