Probably missing something simple, but I'm having a tough time
validating the CA chain for a certificate. There is a second
certificate, seemingly signed by the same CA which does validate.
I'm not sure how useful this tool is, but it seems to indicate both
certs were signed by the same CA.
http://www.sslshopper.com/ssl-checker.html#hostname=dealer.md-bmc.rpdss.com
http://www.sslshopper.com/ssl-checker.html#hostname=dealer2.dc.rpdss.com
OpenSSL has other ideas. First one validates fine, second one does not.
I can't for the life of me figure out what the difference is.
Any ideas?
David
[root@rhesprodipvs01 ~]# openssl s_client -connect
dealer.md-bmc.rpdss.com:443
CONNECTED(00000003)
depth=3 C = US, O = Entrust.net, OU = www.entrust.net/CPS incorp. by
ref. (limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net
Secure Server Certification Authority
verify return:1
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
High Assurance CA-3
verify return:1
depth=0 C = CA, ST = SK, L = Regina, O = Business Watch International
Inc., OU = RPDSS, CN = *.md-bmc.rpdss.com
verify return:1
---
Certificate chain
0 s:/C=CA/ST=SK/L=Regina/O=Business Watch International
Inc./OU=RPDSS/CN=*.md-bmc.rpdss.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
Assurance CA-3
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
Assurance CA-3
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
Assurance EV Root CA
2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
Assurance EV Root CA
i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits
liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server
Certification Authority
.....
Verify return code: 0 (ok)
[root@rhesprodipvs01 ~]# openssl s_client -connect dealer2.dc.rpdss.com:443
CONNECTED(00000003)
depth=0 C = CA, ST = Saskatchewan, L = Regina, O = Business Watch
International Inc, OU = RPDSS, CN = *.dc.rpdss.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = CA, ST = Saskatchewan, L = Regina, O = Business Watch
International Inc, OU = RPDSS, CN = *.dc.rpdss.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = CA, ST = Saskatchewan, L = Regina, O = Business Watch
International Inc, OU = RPDSS, CN = *.dc.rpdss.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=CA/ST=Saskatchewan/L=Regina/O=Business Watch International
Inc/OU=RPDSS/CN=*.dc.rpdss.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
Assurance CA-3
.....
Verify return code: 21 (unable to verify the first certificate)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org