Hello, > We have a web server running on Apache/Tomcat platform (Sun Solaris 10) > with a VeriSign certificate. I'm trying to use the same certificate with > openssl 0.9.8f for my stand-alone web services application (listening on > separate ports, of course). So I followed the procedure as in > http://mark.foster.cc/wiki/index.php/Keytool_to_OpenSSL_Conversion_tips > to convert the certificate and key files. In short, the PEM converted > private key file and certificate file are combined to come up with final > server key file. > When tested with 'openssl s_server' and 'openssl s_client', the client > side complains as follows: > > (on server side) % openssl s_server -cert converted_key_certificate.pem > (on client side) % openssl s_client > > depth=0 /C=US/ST=California/L=San Jose/O=Aeris Communications, > Inc./OU=Unknown/OU=.. > verify error:num=20:unable to get local issuer certificate > verify return:1 > > If I provide the intermediate CA certificate from VeriSign on the client > side, then I get different error message as follows: > > (on client side) % openssl s_client -CAfile > converted_intermediate_CA_from_VeriSign.pem > > verify error:num=2:unable to get issuer certificate > issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary > Certification Authority' > verify return:0 This means that this is intermediate certificate, you should get from VeriSign full CA certificate chain. Display your certificate subject/issuer: $ openssl x509 -in your_cert.pem -noout -subject -issuer next, get CA certificate witch have "subject" as your cert "issuer" and display this two "fields" of this CA certificate, if subject != issuer get next intermediate CA certificate witch have "subject" as this CA cert issuer, go up until last CA's subject == issuer. Next copy all this CA certs to CA.pem and use as CA certs. You may also easy verify your cert against CA certs with command: $ opnessl verify -CAfile CA.pem your_cert.pem
Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
