Hi Yessica:

That error is fairly straightforward - it's can't load the cert (meaning, it 
can't even load the file).

Have you made sure that the permissions are correct? Are you absolutely sure 
that you have the right cert in the right location?

Have fun.

Patrick.
 
On 2011-02-22, at 8:37 AM, Yessica De Ascencao wrote:

> Hi!
> This is the new certificate:
> 
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             d8:e6:a3:f6:22:c7:a4:0b
>         Signature Algorithm: sha1WithRSAEncryption
>         Issuer: C=ve, ST=distrito capital, O=suscerte, OU=acraiz, 
> CN=ac/emailAddress=a...@suscerte.gob.ve
>         Validity
>             Not Before: Feb 21 20:15:08 2011 GMT
>             Not After : Feb 21 20:15:08 2012 GMT
>         Subject: C=ve, ST=distritocapital, L=caracas, O=tss, OU=suscerte, 
> CN=tsscompany/emailAddress=t...@company.com
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>             RSA Public Key: (2048 bit)
>                 Modulus (2048 bit):
>                     00:bd:6e:12:e5:72:37:f2:74:e4:95:f7:43:f2:c7:
>                     00:7d:53:cb:2d:a9:49:68:4d:04:b7:40:8d:b7:cd:
>                     56:23:89:8a:e1:78:d6:a8:bd:a3:ef:16:62:d6:37:
>                     6d:25:ce:eb:9d:30:8a:5e:be:6a:68:6f:bf:cd:f7:
>                     6b:cd:85:f8:c6:62:f3:ea:8e:32:79:2a:d2:38:40:
>                     b9:d7:88:c9:18:5c:63:98:69:ea:b6:95:83:a2:ac:
>                     1b:b4:17:9a:e7:ea:66:bc:c3:e6:c8:e6:47:94:9b:
>                     36:3c:3b:e0:59:9e:85:90:a6:8f:ad:8a:0a:0b:9e:
>                     51:de:ef:93:73:e5:6b:a9:f2:49:ec:c0:46:57:71:
>                     27:fd:85:47:09:f7:90:f7:bb:c5:3a:83:0a:3c:cc:
>                     f2:88:2f:69:5c:80:e2:7f:9e:28:d3:19:09:62:fb:
>                     2b:61:a4:f8:4c:64:d6:72:cb:41:a9:68:69:38:8b:
>                     3f:03:04:83:26:e0:9a:ce:be:1f:05:f0:6d:99:2c:
>                     87:16:97:e2:7f:8b:2f:b1:eb:19:2f:10:45:00:2c:
>                     8e:dd:f5:80:de:cf:c7:17:a0:cc:cf:0d:f3:48:19:
>                     7f:5b:b0:dd:51:a8:80:e0:65:eb:79:ef:ea:fc:d8:
>                     6d:a5:2d:e3:06:b0:83:83:14:7f:61:f9:dc:ea:a7:
>                     7a:4b
>                 Exponent: 65537 (0x10001)
>         X509v3 extensions:
>             X509v3 Basic Constraints: 
>                 CA:FALSE
>             X509v3 Key Usage: 
>                 Digital Signature, Non Repudiation, Key Encipherment
>             Netscape Comment: 
>                 OpenSSL Generated Certificate
>             X509v3 Subject Key Identifier: 
>                 FA:0C:6E:6E:88:58:51:F4:DF:F1:E3:CC:DD:9D:71:8C:CD:95:68:17
>             X509v3 Authority Key Identifier: 
>                 
> keyid:76:B9:CB:3B:5D:C8:B6:AB:02:74:86:D3:1C:C7:42:58:B1:AE:7E:76
> 
>             X509v3 Subject Alternative Name: 
>                 email:t...@company.com
>             X509v3 Extended Key Usage: critical
>                 Time Stamping
>     Signature Algorithm: sha1WithRSAEncryption
>         02:d1:fd:44:de:1e:9f:e0:29:66:35:8f:43:da:e6:b5:20:43:
>         52:90:b0:dc:8a:0f:09:92:9e:c2:6b:dc:14:ab:2c:9f:1b:8e:
>         02:76:9a:17:08:77:ca:26:06:13:25:9e:4a:e2:bf:bb:2b:4d:
>         cf:67:41:c0:2b:3a:1a:d0:ae:a8:88:3c:13:e2:0d:f6:9c:1e:
>         e7:ba:ef:22:c6:b8:18:3b:a8:5e:f9:0e:43:b8:de:82:b1:e0:
>         be:00:d2:57:9c:f3:d9:48:72:28:70:5d:06:d7:73:84:bc:f7:
>         5e:65:27:86:0d:e8:28:b4:dd:72:4d:8e:59:02:cc:39:0f:8d:
>         47:87
> 
> And this is the error:
> [Mon Feb 21 20:15:37 2011] [error] mod_tsa:could not load X.509 certificate: 
> /usr/local/ssl/misc/demoCA/tss.pem
> [Mon Feb 21 20:15:37 2011] [error] 
> mod_tsa:17262:error:2F083075:lib(47):func(131):reason(117):ts_rsp_sign.c:206:
> [Mon Feb 21 20:15:37 2011] [emerg] exiting, fatal error during mod_tsa 
> initialisation.
> 
> Thanks!!!
> 
> 2011/2/21 Jaroslav Imrich <jaroslav.imr...@gmail.com>
> Hello Yessica,
> 
> please post new certificate and exact error you're getting.
> 
> -- 
> 
> Kind Regards / S pozdravom
> 
> Jaroslav Imrich
> http://www.jariq.sk
> 
> 
> 
> On Mon, Feb 21, 2011 at 4:41 PM, Yessica De Ascencao <yessima...@gmail.com> 
> wrote:
> hello!!!
> Thanks for the response!
> 
> Yes I needed the extension to Time Stamping, however when I load the sample 
> certificate in the OpenTSA page, continues to show me the same error. I 
> created a certificate with the correct extension and likewise gives me error.
> 
> I really do not know what may be happening.
> 
> Thank you very much!
> 
> 
> 
> 2011/2/18 Jaroslav Imrich <jaroslav.imr...@gmail.com>
> Hello Yessica,
> 
> 
> this line in your logs tells you where the error occured:
> 
> 
> [Thu Feb 17 19:23:09 2011] [error] 
> mod_tsa:1510:error:2F083075:lib(47):func(131):reason(117):ts_rsp_sign.c:206:
> 
> When you look into source code of openssl ts module - 
> http://cvs.openssl.org/fileview?f=openssl/crypto/ts/ts_rsp_sign.c&v=1.6.4.2 - 
> you can see that line 206 contains following code:
> 
>         if (X509_check_purpose(signer, X509_PURPOSE_TIMESTAMP_SIGN, 0) != 1)
>                 {
>                 TSerr(TS_F_TS_RESP_CTX_SET_SIGNER_CERT,
>                       TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE);
>                 return 0;
>                 }
> 
> That means loading of TSA certificate failed because of incorrect extensions.
> 
> Certificate you posted has critical mark on "X509v3 Subject Alternative Name" 
> which is completely wrong in this case. It is "Time Stamping" that has to be 
> marked as critical.
> 
> 
> -- 
> Kind Regards / S pozdravom
> 
> Jaroslav Imrich
> http://www.jariq.sk
> 
> 
> 
> -- 
> Saludos!
> Yessica De Ascencao
> 0426-7142582
> 
> 
> 
> -- 
> Saludos!
> Yessica De Ascencao
> 0426-7142582

---
Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca





______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to