problem with certificates
  Home FAQ Contact Sign in
mailing.openssl.users only
 
Advanced search
POPULAR GROUPS

more...

mailing.openssl.users Profile…
 Up
problem with certificates         


Author: lakshmi prasanna
Date: Jun 11, 2008 07:48

Hi,

The below error is obtained when no CA is setup in the machine, ie.,
cacert.pem and cakey.pem file are not present and the root certificate is
not signed by the CA.

The root certificate is signed by the root key generated while creating the
certificate using command:
* openssl x509 -req -in rootreq.pem -sha1 -extensions v3_ca
-signkey rootkey.pem -out rootcert.pem*

-Error with certificate at depth: 2
issuer = /C=IN/ST=AP/L=HYD/O=Intoto Software (I) Pvt. Ltd/OU=Root/CN=Root
Intoto/emailAddress=root@intoto.com
subject = /C=IN/ST=AP/L=HYD/O=Intoto Software (I) Pvt. Ltd/OU=Root/CN=Root
Intoto/emailAddress=root@intoto.com
err 19:self signed certificate in certificate chain
SSL_connect failed
** client.c:80 Error connecting SSL object
16384:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed:s3_clnt.c:843:
Show full article (1.88Kb)
3 Comments
Re: problem with certificates         


Author: lakshmi prasanna
Date: Jun 13, 2008 03:05

Hi,

Thanks for the reply.

I have setup CA, and generated cacert.pem and cakey.pem files. I
signed the rootrequest with cacert.pem and generated rootcert.pem.
even then the same error is observed saying "Self signed certificate".
Actually I am setting up a local CA in this case.

Can we sign the root certificate by the CA or should we sign the root
certificate request and then generate the root certificate from the
request?

Actually, I am following the steps in the book Orielly's Network
security with Openssl to generate the certificates.
Can u please send me the exact steps to create a CA and generate CA
signed certificates?

thanks,
Lakshmi Prasanna

On Fri, Jun 13, 2008 at 2:33 PM, bala_41@hotmail.com
gmail.com> wrote:
>Hi,
>
> The below error is obtained when no CA is setup in the machine, ie.,
> cacert.pem and cakey.pem...
Show full article (2.11Kb)
no comments
Re: problem with certificates         


Author: Kyle Hamilton
Date: Jun 13, 2008 03:33

Read the manpage for verify(1ssl) for information on how to get
openssl's commandline tools to recognize a root certificate as
'trusted'.

The same type of thing must be done in your client. The root
certificate must be added to the list of CAs that are trusted. I'm
not quite sure the precise API to use to do so.

Also: I would recommend you look at the CA.sh shell script to handle
things as a minimal Certifying Authority. It automates the entire
procedure.

-Kyle H

On Fri, Jun 13, 2008 at 3:05 AM, lakshmi prasanna intoto.com> wrote:
> Hi,
>
> Thanks for the reply.
>
> I have setup CA, and generated cacert.pem and cakey.pem files. I
> signed the rootrequest...
Show full article (3.04Kb)
no comments
Re: problem with certificates         


Author: Ace
Date: Jun 13, 2008 08:57

I am facing the same issue. I want to automate adding of CA certificate to
the client machine.
Where can I get this CA.sh? Will it automate client process of adding the CA
certificate as trusted one? I found CA.pl, a wrapper script by Eric. Is it
the same you are talking of?

On Fri, Jun 13, 2008 at 3:33 AM, Kyle Hamilton gmail.com> wrote:
> Read the manpage for verify(1ssl) for information on how to get
> openssl's commandline tools to recognize a root certificate as
> 'trusted'.
>
> The same type of thing must be done in your client. ...
Show full article (7.39Kb)
no comments