I am using the same system -- I have tried with last years chain file as well. The only thing that would be different to my knowledge are possibly the version of openssl and the renewed crt file if it possibly requires new CA's (I did use their most current certificates before I tried using my old cafile).
openssl verify never returns, I'm not sure what the syntax I am shooting for there is. When i try without using the "-chain" command then it compiles the p12 and it does seem to load in Chrome and IE ,but in FF3 I get: secure.example.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer) And in FF4 I get: store.innertraditions.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer) I have always used the -chain and -CAfile options together when creating p12's. On Sat, Apr 23, 2011 at 12:32 PM, Crypto Sal <crypto....@gmail.com> wrote: > On 04/21/2011 06:51 PM, James Chase wrote: > > I have done this multiple years in a row with the exact same process but > now I get the following error when I try to create my SSL: > > openssl pkcs12 -export -chain -CAfile cachain.crt -out my.domain.com.p12 > -inkey my.domain.com.key -in MY.DOMAIN.COM.crt > Error unable to get local issuer certificate getting chain. > > I concatenated all the intermediate files in the order they suggest, and > according to the process I have documented that has worked the past few > years. I also downloaded the pre-built chain file where they already > concatenated the needed files together but I get the same error. I also > tried the same chain file I used last year -- same results. Googling is not > helping me understand this error. Anyone know what could be going on here > with the EV SSL creation for Network Solutions? > > > -- > "Beware of all enterprises that require new clothes." > -- Henry David Thoreau > > > > James, > > You don't need to include the -chain' option since you are providing the > chain with the '-CAfile' option. '-chain' is if you want OpenSSL to build > the chain for you. > > --Crypto.Sal > -- "Beware of all enterprises that require new clothes." -- Henry David Thoreau
