Dr Stephen Henson wrote:
>
> Thomas Reinke wrote:
> >
> > Ok...a touch more information - the problem I think I have
> > is that the cert I want to validate has a authorityKeyIdentifier,
> > but none of the certs in the cert stores I am using have a
> > SubjectKeyIndentifier that matches. I have a rather
> > exhaustive list of CAs certs scrubbed from the browser
> > I am currently using (Netscape 4.51), as well as having
> > checked all the certs in the latest openssl bundle.
> >
> > My expectation was to see the cert in the Netscape bundle.
> >
> > Going one step further, the CA in question subsequently
> > provided me with their certificate, which in turn ALSO
> > has a keyid in the authorityKeyIdentifier field. Now
> > I am really puzzled, because:
> >
> > 1) I don't have the CA's cert in my browser, but it
> > validated everything OK.
> > 2) The CA's cert lists Thawte as the issuing authority,
> > but the keyid doesn't match the subject id of any
> > Thawte certificate I have.
> > 3) openssl>verify -CAfile master.list x
> > ends up failing with:
> >
> > OpenSSL> verify -CAfile master.list x
> > x: /C=XX/O=XXXXXXXXX/CN=XXXX's cert name
> > error 2 at 1 depth lookup:unable to get issuer certificate
> >
> > I'm presuming that since its at "depth of 1", means that it
> > can't verify the CA's cert, which I can understand, since I
> > can't manually validate the #$%^& thing either.
> >
> > Am I brain dead? What am I missing
> >
>
> What kind of certificate is it SSL server, S/MIME or what? Its possible
> that you are getting the leaf certificate and an untrusted subordinate
> certificate and Netscape is doing chain verification to the trusted
> root.
>
> If so then you'll need the subordinate CA in order to check it with
> OpenSSL.
>
> Steve.
Ok, providing specifics: the cert I'm playing with to attempt to
validate
is an SSL Server cert installed on https://www.msoe.edu. It's
issued by Equifax, but my browser doesn't have an EquiFax Cert.
That's my first puzzle. Why will Netscape validate the site.
More specifically, what is chain verification, if it is not the same
thing that OpenSSL does when running verify?
As for the second puzzle (OpenSSL not validating it), I've partially
solved the problem, and will assume I'm messing something up at
my end - when I put just the Thawte and Equifax cert in a CAfile
by themselves and run verify, everything checks out OK.
--------------------------------------------------------------------
Script started on Tue Oct 5 21:22:39 1999
[thomas@www4 cacerts]$ s_client -connect www.msoe.edu:443 -CAfile
master.list
CONNECTED(00000003)
depth=1 /C=US/O=Equifax Secure Inc/CN=Equifax Secure E-Business CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=Wisconsin/L=Milwaukee/O=Milwaukee School of
Engineering/OU=CCSD/CN
[EMAIL PROTECTED]
i:/C=US/O=Equifax Secure Inc/CN=Equifax Secure E-Business CA
1 s:/C=US/O=Equifax Secure Inc/CN=Equifax Secure E-Business CA
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification S
ervices Division/CN=Thawte Server [EMAIL PROTECTED]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICtTCCAh6gAwIBAgIBUDANBgkqhkiG9w0BAQQFADBRMQswCQYDVQQGEwJVUzEb
MBkGA1UEChMSRXF1aWZheCBTZWN1cmUgSW5jMSUwIwYDVQQDExxFcXVpZmF4IFNl
Y3VyZSBFLUJ1c2luZXNzIENBMB4XDTk5MDgwNTIwNDkxNFoXDTAwMDgwNDIwNDkx
NFowgaYxCzAJBgNVBAYTAlVTMRIwEAYDVQQIEwlXaXNjb25zaW4xEjAQBgNVBAcT
CU1pbHdhdWtlZTEoMCYGA1UEChMfTWlsd2F1a2VlIFNjaG9vbCBvZiBFbmdpbmVl
cmluZzENMAsGA1UECxMEQ0NTRDEVMBMGA1UEAxMMd3d3Lm1zb2UuZWR1MR8wHQYJ
KoZIhvcNAQkBFhBqdW1iZWNrQG1zb2UuZWR1MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDCbvIQ4SfRB4hj1o3nxUmh3e3OYP3G+UPCyaVjQj1izkWpeIuePzF7
JkkFd/cZef/2RhoTsTnN/9tpzVadnoqfdEZmUgysdqz+HI6f6X5KiZipbxS5/IzE
JzXkQd34RcgNsHwv8DITI56Fmksln9BZHnidbBs68IFmUV2en11MuwIDAQABo0cw
RTAPBgNVHQ8BAf8EBQMDB/AAMBEGCWCGSAGG+EIBAQQEAwIAQDAfBgNVHSMEGDAW
gBRb4Kh1HHgCR3Grzicy5ySIQihIVjANBgkqhkiG9w0BAQQFAAOBgQCt667t7SIN
O8LLAmv020K66a63DYLR9oUIleGJIXSzJQUCvxceCuYczPWZaWUPjpSmDDjhygKh
1Wp5+KbvM6nAiZQlizsE/xV2tBmKBRN9xK95rDi8bsVsj6aV7DCp71GV9KcxxmFT
Fe3lP4cK9gWQRiVwLCk0GT/BDjBcwnOj5g==
-----END CERTIFICATE-----
subject=/C=US/ST=Wisconsin/L=Milwaukee/O=Milwaukee School of
Engineering/OU=CCSD
[EMAIL PROTECTED]
issuer=/C=US/O=Equifax Secure Inc/CN=Equifax Secure E-Business CA
---
No client certificate CA names sent
---
SSL handshake has read 1988 bytes and written 299 bytes
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
