On Thu, Oct 09, 2008 at 05:43:15PM +0200, Andrej Podzimek wrote:
> >When a PEM file holds multiple certificates (a chain), this command
> >only shows the first one. You need to break each of the ".crt" files
> >into separate files for each certificate, and look at those.
>
> The root.crt file holds exactly one self-signed CA certificate. This CA was
> then used to create postgresql.crt and server.crt. Each file contains
> exactly one certificate. There are no chains.
>
> There is only one block like this in each file:
> -----BEGIN CERTIFICATE-----
> ...
> -----END CERTIFICATE-----
>
> Should I try to append the CA certificate to the server and client
> certificate files? Some apps require this, but PostgreSQL worked just fine
> without it till the beginning of October.
If the client and server's certificate files are fresh, the only other
certs that can be stale are the client or server's copies of the root
CA cert in CAfile or CApath.
Running "ssldump" or "wireshark" on a capture of the session will reveal
which certs are exchanged on the wire, and which side initiates the alert,
but it will not reveal which side has the stale root CA cert.
Do check your CAfile and CApath settings on both sides, ...
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
