Certificate Verification: Error (20): unable to get local issuer certificate (LONG)

Peter Chiu Tue, 26 Mar 2002 13:35:03 -0800

Sorry to everybody, this is a long post. I am having trouble getting client
auth going (been trying it for 8hrs). I am running fbsd4.5-release, apache
1.3.23 and mod_ssl 2.8.7.



Error Log
=========
[26/Mar/2002 12:45:19 14664] [info]  Connection to child 5 established (server w
ebmail.ipfw.org:443, client 192.168.111.254)
[26/Mar/2002 12:45:19 14664] [info]  Seeding PRNG with 23177 bytes of entropy  
[26/Mar/2002 12:45:19 14664] [error] Certificate Verification: Error (20): unabl
e to get local issuer certificate


I enclosed the steps that I did to create CA, Server and client cert and my
httpd.conf.

Pls take you time and read it. Any help will be greatly appreciated. TIA.



Create CA
=========

zeus:incoming# openssl genrsa -des3 -out ca.key 1024
warning, not much extra random data, consider using the -rand option
Generating RSA private key, 1024 bit long modulus
......................................++++++
.++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:

zeus:incoming# openssl req -new -x509 -days 365 -key ca.key -out ca.crt 
Using configuration from /etc/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Mississauga
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ipfw CA
Organizational Unit Name (eg, section) []:Certificate Authorize^C
zeus:incoming# openssl req -new -x509 -days 365 -key ca.key -out ca.crt 
Using configuration from /etc/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Mississauga
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ipfw.org
Organizational Unit Name (eg, section) []:Certificate Authority
Common Name (eg, YOUR name) []:webmail.ipfw.org
Email Address []:[EMAIL PROTECTED]

zeus:incoming# ll
total 19
drwxr-xr-x  2 webbie  webbie    512 Mar 26 12:21 .
drwx------  9 webbie  webbie   1024 Mar 26 00:57 ..
-rw-r--r--  1 root    webbie   1346 Mar 26 12:21 ca.crt
-rw-r--r--  1 root    webbie    963 Mar 26 12:19 ca.key
-rwxr-xr-x  1 webbie  webbie   1784 Mar 26 03:11 sign.sh


CA creation done, now make the server key.
===========================================

zeus:incoming# openssl genrsa -des3 -out server.key 1024 
warning, not much extra random data, consider using the -rand option
Generating RSA private key, 1024 bit long modulus
......++++++
........................................++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:

zeus:incoming# openssl req -new -key server.key -out server.csr
Using configuration from /etc/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Mississauga
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ipfw.org
Organizational Unit Name (eg, section) []:WebServer Team
Common Name (eg, YOUR name) []:webmail.ipfw.org
Email Address []:[EMAIL PROTECTED]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

zeus:incoming# ll -rt
total 21
drwx------  9 webbie  webbie   1024 Mar 26 00:57 ..
-rwxr-xr-x  1 webbie  webbie   1784 Mar 26 03:11 sign.sh
-rw-r--r--  1 root    webbie    963 Mar 26 12:19 ca.key
-rw-r--r--  1 root    webbie   1346 Mar 26 12:21 ca.crt
-rw-r--r--  1 root    webbie    963 Mar 26 12:22 server.key
-rw-r--r--  1 root    webbie    716 Mar 26 12:23 server.csr
drwxr-xr-x  2 webbie  webbie    512 Mar 26 12:23 .


Now, I am going to sign my server cert using my own CA
======================================================

zeus:incoming# ./sign.sh server.csr
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName           :PRINTABLE:'CA'
stateOrProvinceName   :PRINTABLE:'Ontario'
localityName          :PRINTABLE:'Mississauga'
organizationName      :PRINTABLE:'ipfw.org'
organizationalUnitName:PRINTABLE:'WebServer Team'
commonName            :PRINTABLE:'webmail.ipfw.org'
emailAddress          :IA5STRING:'[EMAIL PROTECTED]'
Certificate is to be certified until Mar 26 17:25:23 2003 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK

zeus:incoming# ll
total 27
drwxr-xr-x  3 webbie  webbie    512 Mar 26 12:25 .
drwx------  9 webbie  webbie   1024 Mar 26 00:57 ..
-rw-r--r--  1 root    webbie   1346 Mar 26 12:21 ca.crt
drwxr-xr-x  2 root    webbie    512 Mar 26 12:25 ca.db.certs
-rw-r--r--  1 root    webbie    126 Mar 26 12:25 ca.db.index
-rw-r--r--  1 root    webbie      3 Mar 26 12:25 ca.db.serial
-rw-r--r--  1 root    webbie    963 Mar 26 12:19 ca.key
-rw-r--r--  1 root    webbie   2745 Mar 26 12:25 server.crt
-rw-r--r--  1 root    webbie    716 Mar 26 12:23 server.csr
-rw-r--r--  1 root    webbie    963 Mar 26 12:22 server.key
-rwxr-xr-x  1 webbie  webbie   1785 Mar 26 12:24 sign.sh


Now, I am going to create my client cert and sign with my own CA
================================================================

zeus:incoming# openssl genrsa -des3 -out kingkong.key 1024       
warning, not much extra random data, consider using the -rand option
Generating RSA private key, 1024 bit long modulus
.......++++++
.................++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:

zeus:incoming# openssl req -new -key kingkong.key -out kingkong.csr
Using configuration from /etc/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Mississauga
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ipfw.org
Organizational Unit Name (eg, section) []:kingkong        
Common Name (eg, YOUR name) []:kingkong
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

zeus:incoming# ./sign.sh kingkong.csr
CA signing: kingkong.csr -> kingkong.crt:
Using configuration from ca.config
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName           :PRINTABLE:'CA'
stateOrProvinceName   :PRINTABLE:'Ontario'
localityName          :PRINTABLE:'Mississauga'
organizationName      :PRINTABLE:'ipfw.org'
organizationalUnitName:PRINTABLE:'kingkong'
commonName            :PRINTABLE:'kingkong'
Certificate is to be certified until Mar 26 17:37:13 2003 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: kingkong.crt <-> CA cert
kingkong.crt: OK

zeus:incoming# ll
total 32
drwxr-xr-x  3 webbie  webbie    512 Mar 26 12:37 .
drwx------  9 webbie  webbie   1024 Mar 26 00:57 ..
-rw-r--r--  1 root    webbie   1346 Mar 26 12:21 ca.crt
drwxr-xr-x  2 root    webbie    512 Mar 26 12:37 ca.db.certs
-rw-r--r--  1 root    webbie    220 Mar 26 12:37 ca.db.index
-rw-r--r--  1 root    webbie      3 Mar 26 12:37 ca.db.serial
-rw-r--r--  1 root    webbie    963 Mar 26 12:19 ca.key
-rw-r--r--  1 root    webbie   2656 Mar 26 12:37 kingkong.crt
-rw-r--r--  1 root    webbie    660 Mar 26 12:36 kingkong.csr
-rw-r--r--  1 root    webbie    963 Mar 26 12:34 kingkong.key
-rw-r--r--  1 root    webbie   2745 Mar 26 12:25 server.crt
-rw-r--r--  1 root    webbie    716 Mar 26 12:23 server.csr
-rw-r--r--  1 root    webbie    963 Mar 26 12:22 server.key
-rwxr-xr-x  1 webbie  webbie   1785 Mar 26 12:24 sign.sh


Export the key to IE5
======================


zeus:incoming# openssl pkcs12 -export -in kingkong.crt -inkey kingkong.key -certfile 
ca.crt -name "webmail.ipfw.org" -out kingkong.p12
Enter PEM pass phrase:
Enter Export Password:
Verifying password - Enter Export Password:

zeus:incoming# ll
total 35
drwxr-xr-x  3 webbie  webbie    512 Mar 26 12:38 .
drwx------  9 webbie  webbie   1024 Mar 26 00:57 ..
-rw-r--r--  1 root    webbie   1346 Mar 26 12:21 ca.crt
drwxr-xr-x  2 root    webbie    512 Mar 26 12:37 ca.db.certs
-rw-r--r--  1 root    webbie    220 Mar 26 12:37 ca.db.index
-rw-r--r--  1 root    webbie      3 Mar 26 12:37 ca.db.serial
-rw-r--r--  1 root    webbie    963 Mar 26 12:19 ca.key
-rw-r--r--  1 root    webbie   2656 Mar 26 12:37 kingkong.crt
-rw-r--r--  1 root    webbie    660 Mar 26 12:36 kingkong.csr
-rw-r--r--  1 root    webbie    963 Mar 26 12:34 kingkong.key
-rw-r--r--  1 root    webbie   2758 Mar 26 12:38 kingkong.p12
-rw-r--r--  1 root    webbie   2745 Mar 26 12:25 server.crt
-rw-r--r--  1 root    webbie    716 Mar 26 12:23 server.csr
-rw-r--r--  1 root    webbie    963 Mar 26 12:22 server.key
-rwxr-xr-x  1 webbie  webbie   1785 Mar 26 12:24 sign.sh



httpd.conf
==========

[snip]

<IfDefine SSL>
<VirtualHost 24.112.xxx.0:443>
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /opt/webmail.ipfw.org
ServerName webmail.ipfw.org
ErrorLog logs/webmail-error_log
SSLEngine on
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /opt/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /opt/apache/conf/ssl.key/server.key
SSLCertificateChainFile /opt/apache/conf/ssl.crt/ca.crt
SSLCACertificatePath /opt/apache/conf/ssl.crt
SSLVerifyClient require
SSLVerifyDepth  1
<Files ~ "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/opt/apache/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog /opt/apache/logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>



-- 
Peter
                              \\|//
                              (o o)               
+-------------------------oOOo-(_)-oOOo-----------------------------+
 EMail          : mailto:pccb(at)ipfw(dot)org
 PGP Key        : http://www.ipfw.org/pgpkey.txt
 PGP Fingerprint: 1379 3D8A 024E 3C0E 1962  4E12 3742 0684 C29C 3537
+-------------------------------------------------------------------+
Its the InterNIC's fault.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Certificate Verification: Error (20): unable to get local issuer certificate (LONG)

Reply via email to