On Tue, Sep 14, 2004, Steve Ankeny wrote: > Here's the commands I used to create my own CA and my own certificate > and key .... > > "CA.pl -newca" > "CA.pl -newreq" > "CA.pl -signreq" > > Everything went well (no errors), and I wound up with newcert.pem and > newreq.pem (as well as cacert.pem as expected). > > I renamed newcert.pem and newreq.pem to help identify them. > > "mv newcert.pem server.net.pem" > "mv newreq.pem server.net.key" > > I copied them to the Apache directories ssl.crt and ssl.key and edited > the vhost-ssl.conf file to point to the proper files. > > Here's the output of "openssl s_client -connect server.net:443" > > root:~ # openssl s_client -connect server.net:443 > > CONNECTED(00000003) > depth=0 /C=US/ST=State/O=Company/CN=server.net/[EMAIL PROTECTED] > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 /C=US/ST=State/O=Company/CN=server.net/[EMAIL PROTECTED] > verify error:num=27:certificate not trusted > verify return:1 > depth=0 /C=US/ST=State/O=Company/CN=server.net/[EMAIL PROTECTED] > verify error:num=21:unable to verify the first certificate > verify return:1 > --- > Certificate chain > 0 s:/C=US/ST=State/O=Company/CN=server.net/[EMAIL PROTECTED] > i:/C=US/ST=State/O=Company/CN=servercert/[EMAIL PROTECTED] > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIDcjCCAtugAwIBAgIBATANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJVUzEQ > MA4GA1UECBMHSW5kaWFuYTEiMCAGA1UEChMZUHlyYW1pZCBNb3J0Z2FnZSBBdWRp > dGluZzEQMA4GA1UEAxMHcG1hY2VydDEkMCIGCSqGSIb3DQEJARYVc2Fua2VueUBu > [redacted] > 7IJxQa5W/bwcEKU+MoBlUYO1d+HDng== > -----END CERTIFICATE----- > > subject=/C=US/ST=State/O=Company/CN=server.net/[EMAIL PROTECTED] > issuer=/C=US/ST=State/O=Company/CN=servercert/[EMAIL PROTECTED] > --- > No client certificate CA names sent > --- > SSL handshake has read 1450 bytes and written 340 bytes > --- > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > Server public key is 1024 bit > SSL-Session: > Protocol : TLSv1 > Cipher : DHE-RSA-AES256-SHA > Session-ID: > A526ACD02BA92C111FFA4E63FA293521429D1827014D2B57390FA99715ED7CDB > Session-ID-ctx: > Master-Key: > 09A5F29D451372431FF71B3037A9943AA3106328D8EEA7422E88750FA4102F05F39FBB5C9906B2465D6B > Key-Arg : None > Start Time: 1095188189 > Timeout : 300 (sec) > Verify return code: 21 (unable to verify the first certificate) > --- > closed > > Here are the lines that bother me ..... > > verify error:num=20:unable to get local issuer certificate > verify error:num=27:certificate not trusted > verify error:num=21:unable to verify the first certificate > > Is there anything wrong with how I created these? >
No nothing wrong its just that's what the s_client utility does when presented with a CA it doesn't trust. If you include -CAfile cacert.pem on the command line you shouldn't get that any more. > Mozilla times out when trying to connect to the server (with or without > the certificate). What am I doing wrong? > > Thanks for getting me this far. > You should type in the URL https://myhostname.whatever.org/ into Mozilla. Its not clear why you get a timeout error. Is that the exact error Mozilla comes up with? Are you connecting from the same machine you did the s_client test on? If not then its possible the route is blocked by a firewall or something like that. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]