Re: Singing with certificate
Quoting Stewart Dean [EMAIL PROTECTED]: C'mon guys, lighten up. It's a joke, a pun.see in music, there are keysthe key of F has one flat, the key of D has two sharps, etc. Don't have your head so far down in the nuts and bolts...time for a vacationand leave your email and cellphone behind. the posters native language is not english it seems but Dutch. (.nl email address) Rory Vieira wrote: Stephen, What key are you singing in? I'm not sure what you mean... The customer get's a .p12 certificate from the branche organisation which they install in Windows. I still need to extract the public key from that though. I'll probably need windows to export it to DER format (eg cert.cer). The exported public key should be used for encryption, so they can decode with the private key... I do appologize for the inproper subject... It should've been 'Encrypting with certificate'... Cheers, -- Stewart Dean, Unix System Admin, Henderson Computer Resources Center of Bard College, Annandale-on-Hudson, New York 12504 [EMAIL PROTECTED] voice: 845-758-7475, fax: 845-758-7035 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problem with converting pfx to pem and Verisign Intermediate CA
Quoting Dr. Stephen Henson [EMAIL PROTECTED]: On Mon, Mar 06, 2006, [EMAIL PROTECTED] wrote: Can you give the full error message? It looks like it is the wrong intermediate CA being sent. With the server cert do: openssl x509 -in cert.pem -issuer -noout that should match: openssl x509 -in intermediate.pem -subject -noout Is this server on the internet somewhere? If so I can work out which intermediate CA you need. solved. the tech at verisign gave our web guy the wrong intermediate, I talked to someone else and had the correct one within 5 minutes. thanks! brian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
problem with converting pfx to pem and Verisign Intermediate CA
hello list, We're using sslproxy (http://sourceforge.net/projects/sslproxy/) to handle https requests to our server and it's come to my attention Firefox users (non-IE users I assume really) get a message about not being able to verify the authenticity of the certificate when they sign onto our sites due to Verisign having a newer Intermediate CA. I was given the pfx file which I converted to pem with the set of commands below: openssl pkcs12 -in wf_export_01062006.pfx -out wfkey030106.pem openssl rsa -in wfkey030106.pem -out wfcert030106.pem openssl x509 -in wfkey030106.pem wfcert030106.pem Verisign told us to update the intermediate cert with the one here: http://www.verisign.com/support/install2/intermediate.html but when I try to replace the 'BEGIN CERTIFICATE' section in the files above I get errors like this: error reading private key: error..., 111error reading private key: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch So my question is using the new Intermediate CA and the pxf file above how can I wind up with a working .pem file? Thank you, brian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problem with converting pfx to pem and Verisign Intermediate CA
Quoting Dr. Stephen Henson [EMAIL PROTECTED]: On Mon, Mar 06, 2006, [EMAIL PROTECTED] wrote: hello list, We're using sslproxy (http://sourceforge.net/projects/sslproxy/) to handle https requests to our server and it's come to my attention Firefox users (non-IE users I assume really) get a message about not being able to verify the authenticity of the certificate when they sign onto our sites due to Verisign having a newer Intermediate CA. I was given the pfx file which I converted to pem with the set of commands below: openssl pkcs12 -in wf_export_01062006.pfx -out wfkey030106.pem openssl rsa -in wfkey030106.pem -out wfcert030106.pem openssl x509 -in wfkey030106.pem wfcert030106.pem Verisign told us to update the intermediate cert with the one here: http://www.verisign.com/support/install2/intermediate.html but when I try to replace the 'BEGIN CERTIFICATE' section in the files above I get errors like this: error reading private key: error..., 111error reading private key: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch So my question is using the new Intermediate CA and the pxf file above how can I wind up with a working .pem file? Have a look in the pem file. If you have more than one certificate (the stuff with BEGIN CERTIFICATE and END CERTIFICATE ) delete any after the first. Then append the intermediate certificate data to the end of the file. You can use the OpenSSL s_client utility to check it works OK. I've already done this except the testing with s_client part, I tested with firefox which still generates the same error with that. I just tested with s_client and I get Verify return code 21: unable to verify the first certificate. Is there any other information I can give the list to help find a solution? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problem with converting pfx to pem and Verisign Intermediate CA
Quoting Dr. Stephen Henson [EMAIL PROTECTED]: On Mon, Mar 06, 2006, [EMAIL PROTECTED] wrote: Quoting Dr. Stephen Henson [EMAIL PROTECTED]: I've already done this except the testing with s_client part, I tested with firefox which still generates the same error with that. I just tested with s_client and I get Verify return code 21: unable to verify the first certificate. Use the -showcerts option to s_client to see which certificates the server is sending. It's sending both in the pem ... Also include the root CA as an argument to the -CAfile option. same results. (code 21) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]