> From: owner-openssl-us...@openssl.org On Behalf Of Mr.Rout > Sent: Wednesday, 18 January, 2012 02:52 <snip> > root@11437000026:/usr/bin# openssl s_client -connect 10.204.4.69:7003 > WARNING: can't open config file: /usr/ssl/openssl.cnf > CONNECTED(00000003) > depth=0 C = IN, ST = Karnataka, L = Bangalore, O = Airvana, > CN = 10.204.4.69 > verify error:num=20:unable to get local issuer certificate <snip> > Certificate chain > 0 s:/C=IN/ST=Karnataka/L=Bangalore/O=Airvana/CN=10.204.4.69 > i:/C=IN/ST=Karnataka/L=Bangalore/O=Airvana/CN=Root CA <snip> > My Set up looks like this. > e.g. Certificate Chain would be , ROOT----- > Server ( I > keep ROOT at > CLIENT and Server cert at SERVER). Am I right ? > Yes, at least for server auth. If you use client auth, which is not very common, then *also* have the client cert at the client and its root at the server.
> [root@squidpc TEST]# openssl x509 -in root.pem -text <snip> > Please let me know what is missing here & why i am getting > the above error. > Either specify -CAfile root.pem on the s_client commandline OR put that root cert in the default truststore which is used when you don't specify -CAfile and/or -CApath on the commandline. The default truststore can be a single file or a directory with hashcode names or links or both, and is in a location that depends on your platform and the build options of your OpenSSL. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org