RE: Creating CA certificates

Thu, 20 Aug 2009 19:57:21 -0700 

>       From: owner-openssl-us...@openssl.org On Behalf Of vishal saraswat
>       Sent: Tuesday, 18 August, 2009 07:44

>       I am sorry, I forgot to tell you that the final PEM I create 
> is composed of key and certificate both.
>       cat server_key.pem server server_cert.pem > server.pem
>       I read on some blogs that some server require both to be in one file

> that why to be on safer side I started following this practice. I hope its
fine.

It's OK. OpenSSL commandline does not require this, but does allow it.
        
>       Now I suppose that one a client is successfully connected 
> it should return me code as 0 and an OK message. Right? 
> But I get return value as 7(Certificate Signature Failure), 
> 21(Unable to verify the first certificate.)

Signature failure? Not just "unable to get issuer"? 

To verify, any client does need to have available the CA cert 
that signed the cert the server uses. In the general case with 
the client on a different machine than the server this must be 
a copy, and thus you need to make sure the right file (version) 
gets copied, but for loopback testing you can use the same file(s).

s_client supports two ways: a single file containing either one CAcert 
or several concatenated, specified with -CAfile; or a directory specified 
by -CApath that contains a file for each CA cert with its filename or 
a symlink to it using the hash of the cert's name, allowing lookup.

In your earlier email s_client specified neither of these and should 
have gotten 20 unable to get local issuer cert (and 21 unable to verify).
I think the only way you should get signature failure is if 
you give s_client a CAcert which is for the correct CA name 
but has a different public key. Perhaps, if you've tried this 
(sort of) test several times, the file from an earlier iteration.

>       p.s. - Can I connect multiple s_client to a single s_server ?
        
In sequence, but not concurrently. For that you need  a real server. <G>
        


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to