Quoting "Dr. Stephen Henson" <[EMAIL PROTECTED]>: > On Mon, Mar 06, 2006, [EMAIL PROTECTED] wrote: > > > hello list, > > We're using sslproxy (http://sourceforge.net/projects/sslproxy/) to handle > https > > requests to our server and it's come to my attention Firefox users (non-IE > users > > I assume really) get a message about not being able to verify the > authenticity > > of the certificate when they sign onto our sites due to Verisign having a > newer > > Intermediate CA. I was given the "pfx" file which I converted to pem with > the > > set of commands below: > > > > openssl pkcs12 -in wf_export_01062006.pfx -out wfkey030106.pem > > openssl rsa -in wfkey030106.pem -out wfcert030106.pem > > openssl x509 -in wfkey030106.pem >>wfcert030106.pem > > > > Verisign told us to update the intermediate cert with the one here: > > http://www.verisign.com/support/install2/intermediate.html but when I try > to > > replace the 'BEGIN CERTIFICATE' section in the files above I get errors > like > > this: > > > > error reading private key: error"..., 111error reading private key: > > error:0B080074:x509 certificate routines:X509_check_private_key:key values > > mismatch > > > > So my question is using the new Intermediate CA and the pxf file above how > can I > > wind up with a working .pem file? > > > > Have a look in the pem file. > > If you have more than one certificate (the stuff with BEGIN CERTIFICATE and > END CERTIFICATE ) delete any after the first. > > Then append the intermediate certificate data to the end of the file. > > You can use the OpenSSL s_client utility to check it works OK.
I've already done this except the testing with s_client part, I tested with firefox which still generates the same error with that. I just tested with s_client and I get "Verify return code 21: unable to verify the first certificate". Is there any other information I can give the list to help find a solution? > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > OpenSSL project core developer and freelance consultant. > Funding needed! Details on homepage. > Homepage: http://www.drh-consultancy.demon.co.uk > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
