Cert chain verification failures

Tue, 29 Mar 2011 09:50:05 -0700

Probably missing something simple, but I'm having a tough time validating the CA chain for a certificate. There is a second certificate, seemingly signed by the same CA which does validate.
I'm not sure how useful this tool is, but it seems to indicate both certs were signed by the same CA. 

http://www.sslshopper.com/ssl-checker.html#hostname=dealer.md-bmc.rpdss.com
http://www.sslshopper.com/ssl-checker.html#hostname=dealer2.dc.rpdss.com


OpenSSL has other ideas. First one validates fine, second one does not. 
I can't for the life of me figure out what the difference is.


Any ideas?
David


[root@rhesprodipvs01 ~]# openssl s_client  -connect 
dealer.md-bmc.rpdss.com:443

CONNECTED(00000003)

depth=3 C = US, O = Entrust.net, OU = www.entrust.net/CPS incorp. by 
ref. (limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net 
Secure Server Certification Authority

verify return:1

depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert 
High Assurance EV Root CA

verify return:1

depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert 
High Assurance CA-3

verify return:1

depth=0 C = CA, ST = SK, L = Regina, O = Business Watch International 
Inc., OU = RPDSS, CN = *.md-bmc.rpdss.com

verify return:1
---
Certificate chain

 0 s:/C=CA/ST=SK/L=Regina/O=Business Watch International 
Inc./OU=RPDSS/CN=*.md-bmc.rpdss.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High 
Assurance CA-3
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High 
Assurance CA-3
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High 
Assurance EV Root CA
 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High 
Assurance EV Root CA
   i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits 
liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server 
Certification Authority

.....
    Verify return code: 0 (ok)



[root@rhesprodipvs01 ~]# openssl s_client  -connect dealer2.dc.rpdss.com:443
CONNECTED(00000003)

depth=0 C = CA, ST = Saskatchewan, L = Regina, O = Business Watch 
International Inc, OU = RPDSS, CN = *.dc.rpdss.com

verify error:num=20:unable to get local issuer certificate
verify return:1

depth=0 C = CA, ST = Saskatchewan, L = Regina, O = Business Watch 
International Inc, OU = RPDSS, CN = *.dc.rpdss.com

verify error:num=27:certificate not trusted
verify return:1

depth=0 C = CA, ST = Saskatchewan, L = Regina, O = Business Watch 
International Inc, OU = RPDSS, CN = *.dc.rpdss.com

verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain

 0 s:/C=CA/ST=Saskatchewan/L=Regina/O=Business Watch International 
Inc/OU=RPDSS/CN=*.dc.rpdss.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High 
Assurance CA-3

.....
    Verify return code: 21 (unable to verify the first certificate)

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to