> From: owner-openssl-us...@openssl.org On Behalf Of Ariel
> Sent: Monday, 11 October, 2010 20:05
> I have a site (Rails app) that I'm trying to setup with SSL
> and SSL Client Certificate (using nginx).
> I bought a wildcard one-domain certificate at GoDaddy in order
> to support multiple subdomains to my site: *.mysite.com
> I downloaded the cert file and the bundle file; combined them into
> one single cert and setup my nginx SSL directives to use it as suggested
here [1].
> Then I try to verify my setup using the openssl command line tool
and I got this:
> $ openssl s_client -connect mysite.com:443 -showcerts
> CONNECTED(00000003)
> depth=3 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert
Class 2 Policy Validation
Authority/CN=http://www.valicert.com//emailaddress=i...@valicert.com
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Certificate chain
<snipped>
Looks right, but you have to give s_client the root(s) to verify against.
It does NOT automatically default, at least not in the standard distro.
Get your desired root cert -- ValiCert Class 2 Policy Validation Authority
--
in a file in PEM format and give s_client -CAfile filename .
(There are other ways to do this, but that's simplest.)
Or test from a browser that comes with 'mainstream' CAs builtin.
Even if your app doesn't talk HTTP, the browser should complete
the SSL connection successfully before it gets an HTTP error.
The two I have to hand, IE7 and FF3.6, do appear to include this CA.
That is a good place to get the file you use for s_client above.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
