Re: SSL Certificate Installation Problem

Wed, 29 Nov 2000 09:01:38 -0800 

"Visionary Website Creations, Inc." wrote:
> 
> At 11:07 PM 11/20/00 +0000, you wrote:
> >There should be either a load of trusted certificates in a single file
> >or a directory containing them. If you are using client authentication
> >then it may try to read the whole lot in. If one is corrupt then this
> >could be a problem.
> >
> >Actually now I look at the error message:
> >
> >error:0B067002:x509 certificate routines:X509_add_cert_file:system lib
> >
> >I can't find the relevant function in OpenSSL: does it give *exactly*
> >the same error? If so then I suggest you get the function to print out
> >the file it is trying to load when it gets the error and then examine
> >it.
> >
> >Alternatively try using the s_server utility as a test server to check
> >it works OK.
> >
> 
> Thank you for your help.  Prior to trying your suggestions this morning, I
> received a message from a Thawte rep asking if I had tried a test cert on
> the system. I had not tried a test cert, but I have now. Initially it
> failed just the way that the original cert had, but I decided to try
> several certificate types to see if that was the problem.  It ended up
> working with the "Test X509v1 SSL Cert".  For a website that doesn't need
> anything more than a "standard" SSL connection, does the X509v3 offer any
> more security or other differences above the x509v1?  If deemed important
> to change to an X509v3 format, can OpenSSL handle it?
> 

Yes OpenSSL can handle v3 format. Indeed v1 format should be avoided
where possible because it is somewhat restrictive and has some security
issues.

Can you try the certificate with s_server:

openssl s_server -www -cert certfile -key keyfile -port 443

and see if you get any errors with that? You should also be able to
connect to it using a web browser and get a status page.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to