On Tuesday 26 Apr 2011 19:35:48 Mounir IDRASSI wrote:
Hi James,
I got the the correct certificate chain from my Windows 7 box. Microsoft
tends to update its trusted CA certificates store more quickly and
regularly than Mozilla or Linux distros: the latest update was last
month on March 23rd
On Monday 25 Apr 2011 20:07:03 James Chase wrote:
I simplified the issue a bit in order to try and understand what is going
on here and found that the SSL certificate that Network Solutions is
providing, along with the intermediate chain file cannot be verified by
newer installs of Firefox.
Well my results are quite different, and I guess point to my p12 not being
correctly created. Strangely, the p12 I am running this test on works in
production and doesn't produce a warning (I re-created last years
certificate as a new p12 using the same process I am trying with this
years).
I
Someone suggested it would be helpful to post the chain file and the site's
public certificate to the list. If it is helpful, here is the site cert (and
below that their supplied chain file)
-BEGIN CERTIFICATE-
MIIF+TCCBOGgAwIBAgIRAOQNdqGKinmztM0sRh0SkkowDQYJKoZIhvcNAQEFBQAw
Hi,
Your SSL certificate has an Authority Key Identifier extension which has
a value of 8a 35 e4 35 3a bc 11 a1 9e fb f5 4f 34 66 d5 4b ac 4c 62
68. This indicates that it has NOT been issued by the Network
Solutions EV Server CA certificate that is present in the chain file
you posted: this
On Tuesday 26 Apr 2011 13:29:00 James Chase wrote:
Someone suggested it would be helpful to post the chain file and the site's
public certificate to the list. If it is helpful, here is the site cert
(and below that their supplied chain file)
-BEGIN CERTIFICATE-
snip
-END
You've got the wrong chain file. I understand that NetSol switched to a
new
EV Issuing CA a few months ago. Are you definitely using the chain file
that
they supplied with your latest site cert?
I am using the chain file that they suggest downloading which already has
the intermediate
Hi James,
I got the the correct certificate chain from my Windows 7 box. Microsoft
tends to update its trusted CA certificates store more quickly and
regularly than Mozilla or Linux distros: the latest update was last
month on March 23rd 2011.
It is sad that even Network Solutions guys are
I got the the correct certificate chain from my Windows 7 box. Microsoft
tends to update its trusted CA certificates store more quickly and regularly
than Mozilla or Linux distros: the latest update was last month on March
23rd 2011.
It is sad that even Network Solutions guys are not aware
I did run the verification, and didn't have an issue there. Still am not
able to figure out how to correctly create this as the only way the p12
compiles is by dropping the -chain command but that creates ssl
verifications warnings in Firefox web browsers.
openssl req -verify -in
I simplified the issue a bit in order to try and understand what is going on
here and found that the SSL certificate that Network Solutions is providing,
along with the intermediate chain file cannot be verified by newer installs
of Firefox. It doesn't have anything to do with the p12 file I am
From: owner-openssl-us...@openssl.org On Behalf Of James Chase
Sent: Monday, 25 April, 2011 11:02
I did run the verification, and didn't have an issue there.
Still am not able to figure out how to correctly create this
as the only way the p12 compiles is by dropping the
openssl verify -CAfile chain.crt my.cert.crt
IF you have installed some 'common' or 'standard' CAs in your
system's default truststore -- or if you're using a packaged
build that does so for you -- turn that off to make sure it
doesn't silently 'fill in' certs for you, something like:
I have done this multiple years in a row with the exact same process but
now I get the following error when I try to create my SSL:
openssl pkcs12 -export -chain -CAfile cachain.crt -out my.domain.com.p12
-inkey my.domain.com.key -in MY.DOMAIN.COM.crt
Error unable to get local issuer
On Sat April 23 2011, James Chase wrote:
I have done this multiple years in a row with the exact same process but
now I get the following error when I try to create my SSL:
Has worked for years and now it fails? OK, what changed?
From: http://www.openssl.org/docs/apps/pkcs12.html
-chain
Hi James,
Can you try openssl verify command?
If this fails, then there must be wrong with your setup
- re
On Sat, Apr 23, 2011 at 8:45 PM, James Chase chase1...@gmail.com wrote:
I have done this multiple years in a row with the exact same process but
now I get the following error when I
On 04/21/2011 06:51 PM, James Chase wrote:
I have done this multiple years in a row with the exact same process
but now I get the following error when I try to create my SSL:
openssl pkcs12 -export -chain -CAfile cachain.crt -out
my.domain.com.p12 -inkey my.domain.com.key -in
I am using the same system -- I have tried with last years chain file as
well. The only thing that would be different to my knowledge are possibly
the version of openssl and the renewed crt file if it possibly requires new
CA's (I did use their most current certificates before I tried using my old
I have done this multiple years in a row with the exact same process but now
I get the following error when I try to create my SSL:
openssl pkcs12 -export -chain -CAfile cachain.crt -out my.domain.com.p12
-inkey my.domain.com.key -in MY.DOMAIN.COM.crt
Error unable to get local issuer certificate
19 matches
Mail list logo
