On Mon, Mar 06, 2006, [EMAIL PROTECTED] wrote: > hello list, > We're using sslproxy (http://sourceforge.net/projects/sslproxy/) to handle > https > requests to our server and it's come to my attention Firefox users (non-IE > users > I assume really) get a message about not being able to verify the authenticity > of the certificate when they sign onto our sites due to Verisign having a > newer > Intermediate CA. I was given the "pfx" file which I converted to pem with the > set of commands below: > > openssl pkcs12 -in wf_export_01062006.pfx -out wfkey030106.pem > openssl rsa -in wfkey030106.pem -out wfcert030106.pem > openssl x509 -in wfkey030106.pem >>wfcert030106.pem > > Verisign told us to update the intermediate cert with the one here: > http://www.verisign.com/support/install2/intermediate.html but when I try to > replace the 'BEGIN CERTIFICATE' section in the files above I get errors like > this: > > error reading private key: error"..., 111error reading private key: > error:0B080074:x509 certificate routines:X509_check_private_key:key values > mismatch > > So my question is using the new Intermediate CA and the pxf file above how > can I > wind up with a working .pem file? >
Have a look in the pem file. If you have more than one certificate (the stuff with BEGIN CERTIFICATE and END CERTIFICATE ) delete any after the first. Then append the intermediate certificate data to the end of the file. You can use the OpenSSL s_client utility to check it works OK. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]