Re: Local Issuer Certificate??????

Thu, 05 Oct 2006 04:12:54 -0700 

At 12:48 AM 10/5/2006, Bernhard Froehlich wrote:

Dan O'Reilly wrote:
Trying to test certs before moving on to LDAP tests. The certs were obtained from a CA running on a MS box. Here's what happens: 

openssl s_client  -connect adtest:636 -cert foo.pem "-CAfile" homeca_ce
rt_chain.p7b
Enter pass phrase for foo.pem:
CONNECTED(00000003)
depth=0 /CN=adtest.altdomain2000.psccos.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=adtest.altdomain2000.psccos.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /CN=adtest.altdomain2000.psccos.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=adtest.altdomain2000.psccos.com
   i:/C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca
---
Server certificate
-----BEGIN CERTIFICATE-----
    <snip>
-----END CERTIFICATE-----
subject=/CN=adtest.altdomain2000.psccos.com
issuer=/C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca
[...]


What is this telling me?  I downloaded the CA certificate from the MS 
system and have a server certificate.  I'm *VERY* lost in all this!


HELP!!!!

Hmm, the error message of s_client is saying that it cannot find the 
certificate of the issuer of the server's cert. Since there are no 
intermediate CAs involved the issuer must be contained in the CAfile.
Are you sure the certificate of "/C=US/ST=CO/L=Colorado Springs/O=Process 
Software/CN=homeca" is contained in your CAfile (homeca_ce)? Is it 
possible for you to post the homeca_ce and the server's cert (snipped out 
in your log)?


Here's the server certificate (from foo.pem in the example I showed above):

Server certificate
-----BEGIN CERTIFICATE-----
MIIFijCCBTSgAwIBAgIKYQMaYgAAAAAAAjANBgkqhkiG9w0BAQUFADBhMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ08xGTAXBgNVBAcTEENvbG9yYWRvIFNwcmluZ3Mx
GTAXBgNVBAoTEFByb2Nlc3MgU29mdHdhcmUxDzANBgNVBAMTBmhvbWVjYTAeFw0w
NjA5MTQxNjU3NDdaFw0wODA5MTQxNzA3NDdaMCoxKDAmBgNVBAMTH2FkdGVzdC5h
bHRkb21haW4yMDAwLnBzY2Nvcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAL7nVRO9pvigvqim4cqetHJu56PQlPw2MSJe2/SYcxrnA2SsdSvbBAwVTEPZ
KUqGOyGfXDV02S07MX9GR5X66YS1qkGfBzeSbX7Yx1ti9+J/PODkyZh2vwlRtTHj
PQzZ0X6p+Z5eevDxkE4lJ0jWitvhwlZF3H3X3AsBsjltqnQpAgMBAAGjggO/MIID
uzALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMC8G
CSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAd
BgNVHQ4EFgQUIdHmJF8ClHMKh5ciCj+UrQtuwZkwgZoGA1UdIwSBkjCBj4AUovZy
djchr9mywKUw9EvkaSvBoDuhZaRjMGExCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJD
TzEZMBcGA1UEBxMQQ29sb3JhZG8gU3ByaW5nczEZMBcGA1UEChMQUHJvY2VzcyBT
b2Z0d2FyZTEPMA0GA1UEAxMGaG9tZWNhghBRMq+GTAdMg0PtqnzeHGUHMIIBGQYD
VR0fBIIBEDCCAQwwgcWggcKggb+GgbxsZGFwOi8vL0NOPWhvbWVjYSxDTj1hZHRl
c3QsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2Vz
LENOPUNvbmZpZ3VyYXRpb24sREM9YWx0ZG9tYWluMjAwMCxEQz1wc2Njb3MsREM9
Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RjbGFzcz1j
UkxEaXN0cmlidXRpb25Qb2ludDBCoECgPoY8aHR0cDovL2FkdGVzdC5hbHRkb21h
aW4yMDAwLnBzY2Nvcy5jb20vQ2VydEVucm9sbC9ob21lY2EuY3JsMIIBNAYIKwYB
BQUHAQEEggEmMIIBIjCBtQYIKwYBBQUHMAKGgahsZGFwOi8vL0NOPWhvbWVjYSxD
Tj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049
Q29uZmlndXJhdGlvbixEQz1hbHRkb21haW4yMDAwLERDPXBzY2NvcyxEQz1jb20/
Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdGNsYXNzPWNlcnRpZmljYXRpb25BdXRo
b3JpdHkwaAYIKwYBBQUHMAKGXGh0dHA6Ly9hZHRlc3QuYWx0ZG9tYWluMjAwMC5w
c2Njb3MuY29tL0NlcnRFbnJvbGwvYWR0ZXN0LmFsdGRvbWFpbjIwMDAucHNjY29z
LmNvbV9ob21lY2EuY3J0MEsGA1UdEQREMEKgHwYJKwYBBAGCNxkBoBIEENuNPV9r
O/hNswSDqOAydGmCH2FkdGVzdC5hbHRkb21haW4yMDAwLnBzY2Nvcy5jb20wDQYJ
KoZIhvcNAQEFBQADQQBBwxlOIAYrY7CjsR09PEgdDhGDdcky2VYUQ6sYf8Bict28
jezE705z/+I9heVmrNQESfHPvSEk/bJ/Ge3vG+S4
-----END CERTIFICATE-----
subject=/CN=adtest.altdomain2000.psccos.com
issuer=/C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca

openssl pkcs7 -inform der -in homeca_cert_chain.p7b -noout -print_certs -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            51:32:af:86:4c:07:4c:83:43:ed:aa:7c:de:1c:65:07
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=CO, L=Colorado Springs, O=Process Software, CN=homeca
        Validity
            Not Before: Sep 14 16:49:20 2006 GMT
            Not After : Sep 14 16:58:20 2011 GMT

        Subject: C=US, ST=CO, L=Colorado Springs, O=Process Software, 
CN=homeca

        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (512 bit)
                Modulus (512 bit):
                    00:cc:6a:56:be:2f:d0:40:bf:78:54:7b:eb:1e:3c:
                    a6:7d:f7:d9:c7:49:ed:ed:b4:ca:f2:f9:c5:71:4b:
                    eb:51:a7:4e:ad:de:08:69:94:6c:1e:d6:15:91:ea:
                    bc:be:46:bc:72:1c:12:95:69:78:28:84:ed:7e:ae:
                    ca:71:78:7a:6b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.1.311.20.2:
                ...C.A
            X509v3 Key Usage:
                Non Repudiation, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                A2:F6:72:76:37:21:AF:D9:B2:C0:A5:30:F4:4B:E4:69:2B:C1:A0:3B
            X509v3 CRL Distribution Points:
                URI:ldap:///CN=homeca,CN=adtest,CN=CDP,CN=Public%20Key%20Service
s,CN=Services,CN=Configuration,DC=altdomain2000,DC=psccos,DC=com?certificateRevo
cationList?base?objectclass=cRLDistributionPoint
                URI:http://adtest.altdomain2000.psccos.com/CertEnroll/homeca.crl

            1.3.6.1.4.1.311.21.1:
                ...
    Signature Algorithm: sha1WithRSAEncryption
        a3:9d:30:2f:43:d6:74:2f:f5:e5:d7:5d:29:76:cb:f3:ec:79:
        8d:09:83:32:3f:70:b7:29:86:06:24:96:4e:a4:b7:f3:a1:da:
        2f:91:7c:3d:18:87:4f:f4:7e:84:ae:27:69:d8:0a:93:0e:74:
        24:f7:a1:a3:e3:48:22:97:da:4c





Have you tried connecting without a client certificate as a first step to 
make sure the server's cert is verified correctly? Have you tried 
connecting another secure server (for example https://www.cacert.org, the 
corresponding CA certificate can be downloaded at 
http://www.cacert.org/certs/root.crt)?



This may sound silly, but WHAT "client certificate"?  I was under the 
impression that I needed the CA's certificate and the server certificate 
and that was it.  Am I wrong?




Just some directions that may (or may not) help you to find the way out...
Hope it helps.



So do I...but it didn't...hopefully the info I posted above will help 
figure out where my head space error is...*sigh*...


Thanks in advance!

------
+-------------------------------+----------------------------------------+
| Dan O'Reilly                  |  "There are 10 types of people in this |
| Principal Engineer            |   world: those who understand binary   |
| Process Software              |   and those who don't."                |
| http://www.process.com        |                                        |
+-------------------------------+----------------------------------------+


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [EMAIL PROTECTED]






















					Reply via email to