> From: owner-openssl-us...@openssl.org On Behalf Of Mr.Rout
> Sent: Wednesday, 18 January, 2012 02:52
<snip>
> root@11437000026:/usr/bin# openssl s_client -connect 10.204.4.69:7003
> WARNING: can't open config file: /usr/ssl/openssl.cnf
> CONNECTED(00000003)
> depth=0 C = IN, ST = Karnataka, L = Bangalore, O = Airvana, 
> CN = 10.204.4.69
> verify error:num=20:unable to get local issuer certificate
<snip>
> Certificate chain
>  0 s:/C=IN/ST=Karnataka/L=Bangalore/O=Airvana/CN=10.204.4.69
>    i:/C=IN/ST=Karnataka/L=Bangalore/O=Airvana/CN=Root CA
<snip>
> My Set up looks like this.
>  e.g.  Certificate Chain  would be , ROOT----- > Server ( I  
> keep ROOT at
> CLIENT and Server cert at SERVER). Am I right ?
> 
Yes, at least for server auth. If you use client auth,
which is not very common, then *also* have the client cert 
at the client and its root at the server. 

> [root@squidpc TEST]# openssl x509 -in root.pem -text
<snip>

> Please let me know what is missing here & why i am getting 
> the above error.
> 
Either specify -CAfile root.pem on the s_client commandline
OR put that root cert in the default truststore which is used 
when you don't specify -CAfile and/or -CApath on the commandline.
The default truststore can be a single file or a directory with 
hashcode names or links or both, and is in a location that depends 
on your platform and the build options of your OpenSSL.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to