Re: Local Issuer Certificate??????

Wed, 04 Oct 2006 23:50:19 -0700 

Dan O'Reilly wrote:
Trying to test certs before moving on to LDAP tests. The certs were obtained from a CA running on a MS box. Here's what happens: 

openssl s_client  -connect adtest:636 -cert foo.pem "-CAfile" homeca_ce
rt_chain.p7b
Enter pass phrase for foo.pem:
CONNECTED(00000003)
depth=0 /CN=adtest.altdomain2000.psccos.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=adtest.altdomain2000.psccos.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /CN=adtest.altdomain2000.psccos.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=adtest.altdomain2000.psccos.com
   i:/C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca
---
Server certificate
-----BEGIN CERTIFICATE-----
    <snip>
-----END CERTIFICATE-----
subject=/CN=adtest.altdomain2000.psccos.com
issuer=/C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca
[...]


What is this telling me?  I downloaded the CA certificate from the MS 
system and have a server certificate.  I'm *VERY* lost in all this!


HELP!!!!

Hmm, the error message of s_client is saying that it cannot find the 
certificate of the issuer of the server's cert. Since there are no 
intermediate CAs involved the issuer must be contained in the CAfile.
Are you sure the certificate of "/C=US/ST=CO/L=Colorado 
Springs/O=Process Software/CN=homeca" is contained in your CAfile 
(homeca_ce)? Is it possible for you to post the homeca_ce and the 
server's cert (snipped out in your log)?



Have you tried connecting without a client certificate as a first step 
to make sure the server's cert is verified correctly? Have you tried 
connecting another secure server (for example https://www.cacert.org, 
the corresponding CA certificate can be downloaded at 
http://www.cacert.org/certs/root.crt)?


Just some directions that may (or may not) help you to find the way out...
Hope it helps.
Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26




Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature






















					Reply via email to