> From: owner-openssl-us...@openssl.org On Behalf Of David Schwartz > Sent: Monday, 31 January, 2011 09:50 > To: openssl-users@openssl.org > Cc: Lutz Jaenicke; praveen kumar
> On 1/31/2011 12:25 AM, Lutz Jaenicke [forwarded]: > > openSSL>s_client -connect ip:port -cert certfile.crt > > > > ERROR: unable to load client certificate private key file > > 3077682908:error:0906D06C:PEM routines:PEM_read_bio:no > start line:pem_lib.c:698:Expecting: ANY PRIVATE KEY > > date inside the file like this > > > > -----BEGIN CERTIFICATE----- > [snip] > > -----END CERTIFICATE----- > > > > This is file sent by the server.please any one help me to > connect to the server. > > > > If the file is sent by the server, why are you passing it so > s_client? If you look at the cert it appears to be a (private) CA cert. At least, it is self-signed with subject=issuer containing emailAddress=c...@olivecryptosystems.com . If you want to use this cert _as the CAcert to verify the server_ use s_client -CAfile certfile.crt (And perhaps other servers in the same organization.) Note commandline s_client will make the connection even if the server (cert) isn't verified (e.g. no CAcert at all). However other software, particularly other software using openssl library, usually won't, at least not by default. > The '-cert' option, when passed to 's_client' is used to specify a > *client* certificate. Without a corresponding private key, it > won't work. > That's true. Although s_client can accept cert and key in separate files or both in one file. That's why you get the mildly confusing error about "expecting ANY PRIVATE KEY [in certfile]". Note that it isn't crazy in some cases for a server to also act as a CA issuing certs to (acceptable) clients. Properly speaking you should still distinguish these roles, the server acting as CA vs. the server acting as server for data sessions, but people often don't. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org