On Mon, Mar 06, 2006, [EMAIL PROTECTED] wrote: > Quoting "Dr. Stephen Henson" <[EMAIL PROTECTED]>: > > > On Mon, Mar 06, 2006, [EMAIL PROTECTED] wrote: > > > > > Quoting "Dr. Stephen Henson" <[EMAIL PROTECTED]>: > > > > > > I've already done this except the testing with s_client part, I tested > > > with > > > firefox which still generates the same error with that. I just tested with > > > s_client and I get "Verify return code 21: unable to verify the first > > > certificate". > > > > > > > Use the -showcerts option to s_client to see which certificates the server > > is > > sending. > > It's sending both in the pem ... > > > > > Also include the root CA as an argument to the -CAfile option. > > same results. (code 21) >
Can you give the full error message? It looks like it is the wrong intermediate CA being sent. With the server cert do: openssl x509 -in cert.pem -issuer -noout that should match: openssl x509 -in intermediate.pem -subject -noout Is this server on the internet somewhere? If so I can work out which intermediate CA you need. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]