-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Thursday, March 12, 2009 4:23 PM
To: openssl-users@openssl.org
Subject: Re: Can't recognize intermediate CA
If it's any consolation you aren't alone with that, it gets
chain).
-Original Message-
From: Rene Hollan
Sent: Thursday, March 12, 2009 6:34 PM
To: 'openssl-users@openssl.org'
Subject: RE: Can't recognize intermediate CA
Sigh.
Well, I added the intermediate CA to the cert chain sent by my proxy
(and verified this with wireshark).
OpenSSL
On Thu, Mar 12, 2009, Rene Hollan wrote:
Yup. That fixed it.. At least as far as openssl verify -CAfile
cacert.pem -untrusted intcert2.pem yahoo-x.pem goes.
Oddly, firefox still rejects the end cert, even though both cacert.pem
and intcert2.pem are in it's trust store. Is it possible that
On Thu, Mar 12, 2009, Rene Hollan wrote:
True, but (a) it doesn't hurt to have both, and (b) if the issuer
doesn't have a SKID, AKID issuer/serial takes the place of an AKID
keyid.
The disadvantage is that if you want to support more than one intermediate CA
(cross certification for
on behalf of Dr. Stephen Henson
Sent: Fri 3/13/2009 5:14 AM
To: openssl-users@openssl.org
Subject: Re: Can't recognize intermediate CA
On Thu, Mar 12, 2009, Rene Hollan wrote:
True, but (a) it doesn't hurt to have both, and (b) if the issuer
doesn't have a SKID, AKID issuer/serial takes
/hclIGJec5uzlpCenVydGVgToddvpV7Qg4Z+Rap2xiXx63KugGSRjA/1tnR
sQ2OcZejF/Kjh7SHmM/NHIfSuraWJcayb4njNt8vKRYazfiFF8G2O7cOOe674KM9
TpMPay5Ei0HMRb1uQjRaFmxVd1RoKw==
-END CERTIFICATE-
-Original Message-
From: Rene Hollan
Sent: Thursday, March 12, 2009 3:01 PM
To: 'openssl-users@openssl.org'
Subject: Can't recognize
; 'openssl-users@openssl.org'
Subject: RE: Can't recognize intermediate CA
Corrected yahoo.pem:
-BEGIN CERTIFICATE-
MIIDojCCAoqgAwIBAgIYANIyCa0j0xQjIXTkDX+dYhOXhmM6BaBMMA0GCSqGSIb3
MIIDojCCAoqgAwIBAgIYANIyCa0j0xQjIXTkDX+DQEBBQUAMEwxIDAeBgNVBAoWF1dhdGNoR
I'm tearing my hair out trying to get an intermediate CA to be
recognized.
I have cacert.pem signing intcert.pem signing (well, resigning),
yahoo.pem
Openssl verify verifiies intcert.pem against cacert.pem, but won't
verify yahoo.pem against intcert.pem.
Subject/issuer match. AKID dirname and
the cacert has pathlen:1 in its X509v3 Basic Constraints
Subject: Can't recognize intermediate CA
Date: Thu, 12 Mar 2009 15:00:47 -0700
From: rene.hol...@watchguard.com
To: openssl-users@openssl.org
I'm tearing my hair out trying to get
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Giang Nguyen
Sent: Thursday, March 12, 2009 3:49 PM
To: openssl-users@openssl.org
Subject: RE: Can't recognize intermediate CA
the cacert has pathlen:1 in its X509v3 Basic Constraints
Subject: Can't
. so at
this point, i dont have any ideas.
-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Giang Nguyen
Sent: Thursday, March 12, 2009 3:49 PM
To: openssl-users@openssl.org
Subject: RE: Can't recognize intermediate CA
I used openssl with the intermediate CA to sign a separate cert, which
had a AKID keyid but no issuer, and that chain recongizes fine.
Could the problem be the fact that yahoo.pem has an AKID keyid AND
issuer? (onr or the other is sufficient, but I could find nothing that
said that both
I used openssl with the intermediate CA to sign a separate cert, which
had a AKID keyid but no issuer, and that chain recongizes fine.
Could the problem be the fact that yahoo.pem has an AKID keyid AND
issuer? (onr or the other is sufficient, but I could find nothing that
said that both
To: openssl-users@openssl.org
Subject: RE: Can't recognize intermediate CA
I used openssl with the intermediate CA to sign a separate cert, which
had a AKID keyid but no issuer, and that chain recongizes fine.
Could the problem be the fact that yahoo.pem has an AKID keyid AND
issuer? (onr
On Thu, Mar 12, 2009, Rene Hollan wrote:
Yeah, I just noticed that.
I've been comparing how my intermediate CA resigned an existing cert
(it's part of a proxy that decrypts, examines, and reencrypts -- the
downstream client sharing a trust hierarchy with the intermediate
resigning CA) with
Sincerely,
Giang Nguyen
Date: Fri, 13 Mar 2009 00:22:56 +0100
From: st...@openssl.org
To: openssl-users@openssl.org
Subject: Re: Can't recognize intermediate CA
On Thu, Mar 12, 2009, Rene Hollan wrote:
Yeah, I just noticed that.
I've
: Thursday, March 12, 2009 4:23 PM
To: openssl-users@openssl.org
Subject: Re: Can't recognize intermediate CA
If it's any consolation you aren't alone with that, it gets commented on
quite often so much so in fact that it has an FAQ entry:
http://www.openssl.org/support/faq.html#USER15
You can
, March 12, 2009 4:23 PM
To: openssl-users@openssl.org
Subject: Re: Can't recognize intermediate CA
You can just leave out the issuer+serial number combination from AKID
too.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL
project core developer and freelance
. :-(
-Original Message-
From: Rene Hollan
Sent: Thursday, March 12, 2009 5:39 PM
To: 'openssl-users@openssl.org'
Subject: RE: Can't recognize intermediate CA
Yup. That fixed it.. At least as far as openssl verify -CAfile
cacert.pem -untrusted intcert2.pem yahoo-x.pem goes.
Oddly, firefox
-users@openssl.org'
Subject: RE: Can't recognize intermediate CA
Sigh.
Well, I added the intermediate CA to the cert chain sent by my proxy
(and verified this with wireshark).
OpenSSL s_client -CAfile cacert.pem -host login.yahoo.com -port 443
works and shows the trust chain.
But, Firefox
20 matches
Mail list logo
