Re: problem with converting pfx to pem and Verisign Intermediate CA
Quoting Dr. Stephen Henson [EMAIL PROTECTED]: On Mon, Mar 06, 2006, [EMAIL PROTECTED] wrote: Can you give the full error message? It looks like it is the wrong intermediate CA being sent. With the server cert do: openssl x509 -in cert.pem -issuer -noout that should match: openssl x509 -in intermediate.pem -subject -noout Is this server on the internet somewhere? If so I can work out which intermediate CA you need. solved. the tech at verisign gave our web guy the wrong intermediate, I talked to someone else and had the correct one within 5 minutes. thanks! brian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
problem with converting pfx to pem and Verisign Intermediate CA
hello list, We're using sslproxy (http://sourceforge.net/projects/sslproxy/) to handle https requests to our server and it's come to my attention Firefox users (non-IE users I assume really) get a message about not being able to verify the authenticity of the certificate when they sign onto our sites due to Verisign having a newer Intermediate CA. I was given the pfx file which I converted to pem with the set of commands below: openssl pkcs12 -in wf_export_01062006.pfx -out wfkey030106.pem openssl rsa -in wfkey030106.pem -out wfcert030106.pem openssl x509 -in wfkey030106.pem wfcert030106.pem Verisign told us to update the intermediate cert with the one here: http://www.verisign.com/support/install2/intermediate.html but when I try to replace the 'BEGIN CERTIFICATE' section in the files above I get errors like this: error reading private key: error..., 111error reading private key: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch So my question is using the new Intermediate CA and the pxf file above how can I wind up with a working .pem file? Thank you, brian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problem with converting pfx to pem and Verisign Intermediate CA
On Mon, Mar 06, 2006, [EMAIL PROTECTED] wrote: hello list, We're using sslproxy (http://sourceforge.net/projects/sslproxy/) to handle https requests to our server and it's come to my attention Firefox users (non-IE users I assume really) get a message about not being able to verify the authenticity of the certificate when they sign onto our sites due to Verisign having a newer Intermediate CA. I was given the pfx file which I converted to pem with the set of commands below: openssl pkcs12 -in wf_export_01062006.pfx -out wfkey030106.pem openssl rsa -in wfkey030106.pem -out wfcert030106.pem openssl x509 -in wfkey030106.pem wfcert030106.pem Verisign told us to update the intermediate cert with the one here: http://www.verisign.com/support/install2/intermediate.html but when I try to replace the 'BEGIN CERTIFICATE' section in the files above I get errors like this: error reading private key: error..., 111error reading private key: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch So my question is using the new Intermediate CA and the pxf file above how can I wind up with a working .pem file? Have a look in the pem file. If you have more than one certificate (the stuff with BEGIN CERTIFICATE and END CERTIFICATE ) delete any after the first. Then append the intermediate certificate data to the end of the file. You can use the OpenSSL s_client utility to check it works OK. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problem with converting pfx to pem and Verisign Intermediate CA
Quoting Dr. Stephen Henson [EMAIL PROTECTED]: On Mon, Mar 06, 2006, [EMAIL PROTECTED] wrote: hello list, We're using sslproxy (http://sourceforge.net/projects/sslproxy/) to handle https requests to our server and it's come to my attention Firefox users (non-IE users I assume really) get a message about not being able to verify the authenticity of the certificate when they sign onto our sites due to Verisign having a newer Intermediate CA. I was given the pfx file which I converted to pem with the set of commands below: openssl pkcs12 -in wf_export_01062006.pfx -out wfkey030106.pem openssl rsa -in wfkey030106.pem -out wfcert030106.pem openssl x509 -in wfkey030106.pem wfcert030106.pem Verisign told us to update the intermediate cert with the one here: http://www.verisign.com/support/install2/intermediate.html but when I try to replace the 'BEGIN CERTIFICATE' section in the files above I get errors like this: error reading private key: error..., 111error reading private key: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch So my question is using the new Intermediate CA and the pxf file above how can I wind up with a working .pem file? Have a look in the pem file. If you have more than one certificate (the stuff with BEGIN CERTIFICATE and END CERTIFICATE ) delete any after the first. Then append the intermediate certificate data to the end of the file. You can use the OpenSSL s_client utility to check it works OK. I've already done this except the testing with s_client part, I tested with firefox which still generates the same error with that. I just tested with s_client and I get Verify return code 21: unable to verify the first certificate. Is there any other information I can give the list to help find a solution? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problem with converting pfx to pem and Verisign Intermediate CA
On Mon, Mar 06, 2006, [EMAIL PROTECTED] wrote: Quoting Dr. Stephen Henson [EMAIL PROTECTED]: I've already done this except the testing with s_client part, I tested with firefox which still generates the same error with that. I just tested with s_client and I get Verify return code 21: unable to verify the first certificate. Use the -showcerts option to s_client to see which certificates the server is sending. Also include the root CA as an argument to the -CAfile option. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problem with converting pfx to pem and Verisign Intermediate CA
Quoting Dr. Stephen Henson [EMAIL PROTECTED]: On Mon, Mar 06, 2006, [EMAIL PROTECTED] wrote: Quoting Dr. Stephen Henson [EMAIL PROTECTED]: I've already done this except the testing with s_client part, I tested with firefox which still generates the same error with that. I just tested with s_client and I get Verify return code 21: unable to verify the first certificate. Use the -showcerts option to s_client to see which certificates the server is sending. It's sending both in the pem ... Also include the root CA as an argument to the -CAfile option. same results. (code 21) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problem with converting pfx to pem and Verisign Intermediate CA
On Mon, Mar 06, 2006, [EMAIL PROTECTED] wrote: Quoting Dr. Stephen Henson [EMAIL PROTECTED]: On Mon, Mar 06, 2006, [EMAIL PROTECTED] wrote: Quoting Dr. Stephen Henson [EMAIL PROTECTED]: I've already done this except the testing with s_client part, I tested with firefox which still generates the same error with that. I just tested with s_client and I get Verify return code 21: unable to verify the first certificate. Use the -showcerts option to s_client to see which certificates the server is sending. It's sending both in the pem ... Also include the root CA as an argument to the -CAfile option. same results. (code 21) Can you give the full error message? It looks like it is the wrong intermediate CA being sent. With the server cert do: openssl x509 -in cert.pem -issuer -noout that should match: openssl x509 -in intermediate.pem -subject -noout Is this server on the internet somewhere? If so I can work out which intermediate CA you need. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]