Hi,
I have a problem in using the openssl with Netscape Certificate Server.
I am using a certficate generated by the Netscape Certificate
Server(residing in regionally different location machine) to run my server
developed using openssl library.
The server certificate got from Netscape certificate Server is of PKCS12
format. Since i am using the functions like
SSL_CTX_use_certificate_file, SSL_CTX_use_RSAPrivateKey_file which uses the
PEM_FILETYPE as third parameter, i had to convert PKCS12 format certificate
file to PEM format file since one of our application is using PKCS12 format
only:
openssl -in test.p12 -out newfile.pem
Here are the contents of the newfile.pem after convertion.
-------------------Contents of newfile.pem-------------------------------
Bag Attributes
friendlyName: TradeView-Asia's Credit Suisse First Boston ID
localKeyID: E1 FF 90 4B EA 9B 20 A7 0A 62 39 0C DA 90 4C B9 4B DC A4 D6
Key Attributes: <No Attributes>
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,AF3D450EB53340C7
0E1f83C6uR+CvdyDS12k/2MDbyxf29oyJY0+uRyvK2NlvIFfj1Bly4s2soRsw2pO
HR/xgXBj/13sOAgDgKjvvMtftdys2XypvVXc+5ZKho5j0T1PNwnfLLdt24dnUymL
VPyWQpcSJw4hz0xBKB6DKYx9wJAnPm/loLQ/MNRVEEu/G1Ax9kWYkKz15TRvBoix
tVpMViMKhzVerGtmivvaLVNJvwHbRLIdLOh/y4Qif0+2uRk6+X8d6bB1p2Uuc/1m
ZJR88IBfW8QOxWukHdgYi4l8p+A1RZKijvEqWM+XxCVpCd2S2HbECQ2k1uwyPn7D
RW17VV9fRmvTKaMZMSb14IXB77s1jKTMFrSKDOsQmddGktdrrX0jFHMGsRCcGTfb
4QCNf11eCGp8u5sjUfWfJGtJ9uHxck8VudiNoOgU6Z3yLyUWRjYhWXTVQm8/OoW+
E65TmZ8Vo1I5J9zjoZmhRQS5NaQQiiALpxzN/A++c1dGUoRzFJbxHKjHyilTW3h+
ooKzkv+GmvKf6QF3ToDbmM+Do575jqkahWErMrtUm4zRSVntk5Hgqw4FmYCa2Zg6
C6rKYqO+h0GnJ14bE2/eip7qc0fQ5pS6WSmy6uei0HrRmHWQsgyn+8Ss2AgZ/uT7
E2g02pX4/FPciVMztyBh2J4jw+2fOrExhUnox++WEjFwr67kB4Kfygb4ADBqK0bz
CABTCATTM/0rnov/59TyKUDbaPPl9bc3J/6iybDgoOTe6IVwb19JcW5RlrgFGn0R
joLIWhcNqlPHhSSeQ/NoJbNg7f6NPyq5xcbb+8Lc59M=
-----END RSA PRIVATE KEY-----
Bag Attributes: <Empty Attributes>
subject=/C=UK/O=Credit Suisse First Boston/OU=GWS Europe CA
issuer= /C=UK/O=Credit Suisse First Boston/OU=GWS Europe CA
-----BEGIN CERTIFICATE-----
MIICTDCCAbWgAwIBAgIBATANBgkqhkiG9w0BAQQFADBKMQswCQYDVQQGEwJVSzEj
MCEGA1UEChMaQ3JlZGl0IFN1aXNzZSBGaXJzdCBCb3N0b24xFjAUBgNVBAsTDUdX
UyBFdXJvcGUgQ0EwHhcNOTkwNTIwMTUyNzA2WhcNMDEwNTE5MTUyNzA2WjBKMQsw
CQYDVQQGEwJVSzEjMCEGA1UEChMaQ3JlZGl0IFN1aXNzZSBGaXJzdCBCb3N0b24x
FjAUBgNVBAsTDUdXUyBFdXJvcGUgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAOjLGUhMrE49ARCwNS0fYyg2/rm0aHgEPXDuMPUmAry4F/eacTCS6QaA53Kr
B8kF7IFodGaKtECA78NQGz6G7AIFqdsdlGdYE0xvN3PJT3aLqEsA6DGA7+uFRscJ
2JQh24/AqIcupCkIJqjleTa/QW4MBJ7VQJ2Z8Q4G18YRNneDAgMBAAGjQjBAMB0G
A1UdDgQWBBTOZUMmvxc7B+wOiSEUv+DgmsKgtDAfBgNVHSMEGDAWgBTOZUMmvxc7
B+wOiSEUv+DgmsKgtDANBgkqhkiG9w0BAQQFAAOBgQCmx83aiy4Btyc+36d6q5nB
HeGBa4PDNsPAibHSsQAEt8KImlI+zJDXDxoJPhGGnCFl8NXjfEEAdUFu3lXM6FxE
kib+IuM+Rnj/ry9UIIv3InqNg/EDVJLRKIXEdTKoNPNCbfHWjZ35CUG2fw3J+ooc
lwOKORJlNmZM43tO2JZo/w==
-----END CERTIFICATE-----
Bag Attributes
friendlyName: TradeView-Asia's Credit Suisse First Boston ID
localKeyID: E1 FF 90 4B EA 9B 20 A7 0A 62 39 0C DA 90 4C B9 4B DC A4 D6
subject=/C=AU/O=CSFB/OU=Equities/0.9.2342.19200300.100.1.1=TradeView-Asia/CN
=TradeView-Asia/Email=jamie.jones@csf
b.com
issuer= /C=UK/O=Credit Suisse First Boston/OU=GWS Europe CA
-----BEGIN CERTIFICATE-----
MIIChDCCAe2gAwIBAgIBCjANBgkqhkiG9w0BAQQFADBKMQswCQYDVQQGEwJVSzEj
MCEGA1UEChMaQ3JlZGl0IFN1aXNzZSBGaXJzdCBCb3N0b24xFjAUBgNVBAsTDUdX
UyBFdXJvcGUgQ0EwHhcNOTkwOTIyMDE0NDQ5WhcNMDEwMzE1MDE0NDQ5WjCBjTEL
MAkGA1UEBhMCQVUxDTALBgNVBAoTBENTRkIxETAPBgNVBAsTCEVxdWl0aWVzMR4w
HAYKCZImiZPyLGQBARMOVHJhZGVWaWV3LUFzaWExFzAVBgNVBAMTDlRyYWRlVmll
dy1Bc2lhMSMwIQYJKoZIhvcNAQkBFhRqYW1pZS5qb25lc0Bjc2ZiLmNvbTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvlLokNj12ayJ7mAcok+tAnlM9m3X3aTw
j7d42wZD1J/FSXUmcP6J8Pg2RxhZb5HYdxY/JSGsedPpCXXmi5JNJpD+CBBNh/3J
JIeHE+4D6Hfz6J5Iey/Y7D/nVo+ut/z4vP92Ldb3J99L5rgCjayrdBsDvw18/wki
3DLiuh0unvkCAwEAAaM2MDQwEQYJYIZIAYb4QgEBBAQDAgBAMB8GA1UdIwQYMBaA
FM5lQya/FzsH7A6JIRS/4OCawqC0MA0GCSqGSIb3DQEBBAUAA4GBAGneaBep46xn
u3xgINncvXHZuacKT9GBwTySWnr+QrpN0Mw835If+USWiNInsgZF2yrPoMxZb8pj
/Tbf+iVa2JNFGwOYQbGw+LoGWJAg0fsp+nf1zjBEDSm4MiijknNB7gTdstFLBUVY
P2kkRxXuTtqx5A/LTZHM1TiphC1ZCdt8
-----END CERTIFICATE-----
-------------------------End of newfile.pem---------------------------------
When using this newfile.pem, i got the following error:
SSL_CTX_use_RSAPrivateKey_file: error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch
So i just copied the contents of issuer,Public Key etc from Netscape
Certificate Server( by getting the details of that certificate).
It worked fine.
-------------------Now the contents of newfile.pem-------------------
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,1A70995C43F45106
ZWP3mAIVB3Yf67AwjHB3vtCVmTqJrmJANyYZcUXZT/CSo8CIFF/s5FXoownT/UCq
sIVIQ6tQu1jYVlYmiLbGf150Kk54xw/yMbiYOVtoqrqn+Xk0I2Sg+qXmuK7fa25a
ttmsDJ8YWTdXbXE5jql/DsBik20MdYP686K6ShHoouh2i+tIhwkhTMtRA3XRrb40
SLMv7YoHR54KSeZMUpND9HvY5EC79+yyiCVGfbwbKRwHIWNoolpi9mtkt3ZimxUt
ccqsYwXn2/gzN8UBQsLcOgEWpW2ucgkGT0ZmZihRVwdah9LUY+jKBTokMNr3udJs
DulnGfjGBgJ+BLoGIWGIsf/PF0ltD5Y2G6u8dn9lC43pEn4OKpzwG1/9lUZmjgNp
DqOhI04mT4U/MDGvzE/StvbrmSkn0FsrxPO70NptNzpMQNcwqSVVuHTeVW9vG/Mk
upi/vhl4FI6RCmbxU5wEnKM1kgCMtp8TnxVZjvo8kUKLwGXr3CQq5sCuwlderNkK
b4M+mQ4LlzkULv0kaYurnXSXMV3woC9uY1PdDPmbRZdKc1zuvWUQlU3bMwNSZx7V
43NDQ946OFTWj5SkNJi83hYJzptFftz6gQse6FemkE1bCskKpPt7Eeux/M5+ekWO
ixIm8cu1ujpMqLILQxynvG4hp7JREj6/ZSKzy/ci/BvKLt4UdBrPiOfzeZLOFo09
liL6ZyinirvvKf1KBdHhqAaaInwadrPs+GwXA0L+ID0yIT52kzJMxpHsg9zfg7bp
V5kwgFpCRyTvA0ymSNBMk1nXujr9j0zsf0u3MMbI/LQ=
-----END RSA PRIVATE KEY-----
Bag Attributes
friendlyName: TradeView-Asia's Credit Suisse First Boston ID
localKeyID: E1 FF 90 4B EA 9B 20 A7 0A 62 39 0C DA 90 4C B9 4B DC A4 D6
subject=/C=AU/O=CSFB/OU=Equities/0.9.2342.19200300.100.1.1=TradeView-Asia/CN
=TradeView-Asia/Email=jamie.jones@csf
b.com
issuer= /C=UK/O=Credit Suisse First Boston/OU=GWS Europe CA
serial :10
Certificate:
Data:
Version: v3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Issuer: OU=GWS Europe CA, O=Credit Suisse First Boston, C=UK
Validity:
Not Before: Wed Sep 22 02:44:49 1999
Not After: Thu Mar 15 01:44:49 2001
Subject: [EMAIL PROTECTED], CN=TradeView-Asia,
UID=TradeView-Asia, OU=Equities, O=CSFB, C=AU
Subject Public Key Info:
Algorithm: PKCS #1 RSA Encryption
Public Key:
Modulus:
00:be:52:e8:90:d8:f5:d9:ac:89:ee:60:1c:a2:4f:ad:02:79:
4c:f6:6d:d7:dd:a4:f0:8f:b7:78:db:06:43:d4:9f:c5:49:75:
26:70:fe:89:f0:f8:36:47:18:59:6f:91:d8:77:16:3f:25:21:
ac:79:d3:e9:09:75:e6:8b:92:4d:26:90:fe:08:10:4d:87:fd:
c9:24:87:87:13:ee:03:e8:77:f3:e8:9e:48:7b:2f:d8:ec:3f:
e7:56:8f:ae:b7:fc:f8:bc:ff:76:2d:d6:f7:27:df:4b:e6:b8:
02:8d:ac:ab:74:1b:03:bf:0d:7c:ff:09:22:dc:32:e2:ba:1d:
2e:9e:f9
Public Exponent: 65537 (0x10001)
Extensions:
Identifier: Certificate Type
Critical: no
Certified Usage:
SSL Server
Identifier: Authority Key Identifier
Critical: no
Key Identifier:
ce:65:43:26:bf:17:3b:07:ec:0e:89:21:14:bf:e0:e0:9a:c2:
a0:b4
Signature:
Algorithm: PKCS #1 MD5 With RSA Encryption
Signature:
69:de:68:17:a9:e3:ac:67:bb:7c:60:20:d9:dc:bd:71:d9:b9:a7:0a:4f:
d1:81:c1:3c:92:5a:7a:fe:42:ba:4d:d0:cc:3c:df:92:1f:f9:44:96:88:
d2:27:b2:06:45:db:2a:cf:a0:cc:59:6f:ca:63:fd:36:df:fa:25:5a:d8:
93:45:1b:03:98:41:b1:b0:f8:ba:06:58:90:20:d1:fb:29:fa:77:f5:ce:
30:44:0d:29:b8:32:28:a3:92:73:41:ee:04:dd:b2:d1:4b:05:45:58:3f:
69:24:47:15:ee:4e:da:b1:e4:0f:cb:4d:91:cc:d5:38:a9:84:2d:59:09:
db:7c
-----BEGIN CERTIFICATE-----
MIIChDCCAe2gAwIBAgIBCjANBgkqhkiG9w0BAQQFADBKMQswCQYDVQQGEwJVSzEj
MCEGA1UEChMaQ3JlZGl0IFN1aXNzZSBGaXJzdCBCb3N0b24xFjAUBgNVBAsTDUdX
UyBFdXJvcGUgQ0EwHhcNOTkwOTIyMDE0NDQ5WhcNMDEwMzE1MDE0NDQ5WjCBjTEL
MAkGA1UEBhMCQVUxDTALBgNVBAoTBENTRkIxETAPBgNVBAsTCEVxdWl0aWVzMR4w
HAYKCZImiZPyLGQBARMOVHJhZGVWaWV3LUFzaWExFzAVBgNVBAMTDlRyYWRlVmll
dy1Bc2lhMSMwIQYJKoZIhvcNAQkBFhRqYW1pZS5qb25lc0Bjc2ZiLmNvbTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvlLokNj12ayJ7mAcok+tAnlM9m3X3aTw
j7d42wZD1J/FSXUmcP6J8Pg2RxhZb5HYdxY/JSGsedPpCXXmi5JNJpD+CBBNh/3J
JIeHE+4D6Hfz6J5Iey/Y7D/nVo+ut/z4vP92Ldb3J99L5rgCjayrdBsDvw18/wki
3DLiuh0unvkCAwEAAaM2MDQwEQYJYIZIAYb4QgEBBAQDAgBAMB8GA1UdIwQYMBaA
FM5lQya/FzsH7A6JIRS/4OCawqC0MA0GCSqGSIb3DQEBBAUAA4GBAGneaBep46xn
u3xgINncvXHZuacKT9GBwTySWnr+QrpN0Mw835If+USWiNInsgZF2yrPoMxZb8pj
/Tbf+iVa2JNFGwOYQbGw+LoGWJAg0fsp+nf1zjBEDSm4MiijknNB7gTdstFLBUVY
P2kkRxXuTtqx5A/LTZHM1TiphC1ZCdt8
-----END CERTIFICATE-----
-------------------------End of newfile.pem---------------------------------
Then i am getting the following errors:
VERIFY ERROR: depth=0 error=unable to get local issuer certificate:
/C=AU/O=CSFB/OU=Equities/0.9.2342.19200300.100.1.1=TradeView-Asia/CN=TradeVi
[EMAIL PROTECTED]
SSL_accept : error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned
I think After getting the client certificate, it does the verification
against the CA which it loads from the file /demoCA/cacert.pem
Since i am using the CA as Netscape Certificate Server (residing in some
other regionally different machine), I do not know to where i should point
this /demoCA/cacert.pem file and also what should be the contents.
I am not sure whether this is the cause for the above errors.
Please can anyone help me out in this as early as possible.
Thanks in advance.
Hope to get earliest reply.
Ravi Srinvas M
E-mail : [EMAIL PROTECTED]
Voice mail : +81 3 5404 9592
Fax : +81-3-5473-4441
CREDIT | FIRST
SUISSE | BOSTON
Credit Suisse First Boston (Japan) Limited
5th Floor Shiroyama Hills,
4-3-1 Toranomon,
Minato-ku, Tokyo 105-6002 JAPAN
This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please immediately delete it and all
copies of it from your system, destroy any hard copies of it and notify the
sender. You must not, directly or indirectly, use, disclose, distribute,
print, or copy any part of this message if you are not the intended
recipient. CREDIT SUISSE GROUP and each of its subsidiaries each reserve
the right to monitor all e-mail communications through its networks. Any
views expressed in this message are those of the individual sender, except
where the message states otherwise and the sender is authorised to state
them to be the views of any such entity.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
