Hi all,
I have generated a self signed root certification authority and an intermediate certification authority signed by the root CA using openssl 0.9.7g. The intermediate CA signed an apache 1 with mod-ssl SSL server certificate. Both the root and intermediate PEM certificates are placed in the file ca.crt pointed by the directive SSLCACertificateFile. With this setup I have problem opening my secure site with any browser: Internet Exlorer 6 cannot display the page, while Mozilla reports: error establishing an encrypted connection with server error code -8155. The root CA certificate is successfully imported to the client browsers. Something must be wrong with the certificate chain because the page is correctly opened if the server certificate is issued direclty be the root CA. I would greatly appreciate any help, since I can not find any solution for this. Thanks Ellie _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
Eleftheria Petraki wrote:
> Hi all, > > I have generated a self signed root certification authority and an > intermediate certification authority signed by the root CA using openssl > 0.9.7g. The intermediate CA signed an apache 1 with mod-ssl SSL server > certificate. Both the root and intermediate PEM certificates are placed > in the file ca.crt pointed by the directive SSLCACertificateFile. How about putting the intermediate CA-certificate in the file ca.chain and let the directive SSLCertificateChainFile point to it? SSLCACertificateFile is IMHO only for accepted CAs for client authentication (so no wonder the server does not accept the connection request, your browser does not have an according client certificate). > I would greatly appreciate any help, since I can not find any solution > for this. I hope it works as described above. Cheers, Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE [hidden email] A daily view on Internet Attacks https://www.ecsirt.net/sensornet ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
> > Hi all,
> > > > I have generated a self signed root certification authority and an > > intermediate certification authority signed by the root CA using openssl > > 0.9.7g. The intermediate CA signed an apache 1 with mod-ssl SSL server > > certificate. Both the root and intermediate PEM certificates are placed > > in the file ca.crt pointed by the directive SSLCACertificateFile. > >How about putting the intermediate CA-certificate in the file >ca.chain and let the directive SSLCertificateChainFile point >to it? SSLCACertificateFile is IMHO only for accepted CAs >for client authentication (so no wonder the server does not >accept the connection request, your browser does not have >an according client certificate). Unfortunately it is not working. IE still cannot display the page and Mozilla causes the following entry in error_log: [Mon Jun 13 16:42:57 2005] [error] OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN in certificate not server name or identical to CA!?] But CN is identical to server name and openssl verifies correctly the server certificate. If both root and intermediate CA certificates are imported in Mozilla the page is opened without problems. However the same thing does not work in IE - the page cannot be displayed. I am realy confused. > > > I would greatly appreciate any help, since I can not find any solution > > for this. > >I hope it works as described above. Cheers, > Olaf > >-- >Dipl.Inform. Olaf Gellert PRESECURE (R) >Senior Researcher, Consulting GmbH >Phone: (+49) 0700 / PRESECURE [hidden email] > > A daily view on Internet Attacks > https://www.ecsirt.net/sensornet > _________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
In reply to this post by Eleftheria Petraki
The root CA certificate needs to be installed in the browser, have you done
that ? It is not enough to put the root CA in the ca chain. The client must be able to build a certificate chain that ends in a locally trusted certificate (usually a preinstalled root CA). I believe the hint in the log file is simply the most likely cause, not the actual one in this case, which I guess would be (assuming you didn't install the root ca and the names are correct) - If you didn't put the root CA in the chain the client will be unable to verify the signature on the intermediate CA certificate - If you did put the root CA in the chain the client will end up with an untrusted root CA certificate Both of which would cause a bad certificate alert. Hope this helps Per Nilsson Teleca Sweden East AB eMail: [hidden email] -----Original Message----- From: Eleftheria Petraki [mailto:[hidden email]] Sent: den 13 juni 2005 16:09 To: [hidden email] Subject: Re: Certificate chain problem > > Hi all, > > > > I have generated a self signed root certification authority and an > > intermediate certification authority signed by the root CA using > > openssl 0.9.7g. The intermediate CA signed an apache 1 with mod-ssl > > SSL server certificate. Both the root and intermediate PEM > > certificates are placed in the file ca.crt pointed by the directive SSLCACertificateFile. > >How about putting the intermediate CA-certificate in the file ca.chain >and let the directive SSLCertificateChainFile point to it? >SSLCACertificateFile is IMHO only for accepted CAs for client >authentication (so no wonder the server does not accept the connection >request, your browser does not have an according client certificate). Unfortunately it is not working. IE still cannot display the page and Mozilla causes the following entry in error_log: [Mon Jun 13 16:42:57 2005] [error] OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN in certificate not server name or identical to CA!?] But CN is identical to server name and openssl verifies correctly the server certificate. If both root and intermediate CA certificates are imported in Mozilla the page is opened without problems. However the same thing does not work in IE - the page cannot be displayed. I am realy confused. > > > I would greatly appreciate any help, since I can not find any > > solution for this. > >I hope it works as described above. Cheers, > Olaf > >-- >Dipl.Inform. Olaf Gellert PRESECURE (R) >Senior Researcher, Consulting GmbH >Phone: (+49) 0700 / PRESECURE [hidden email] > > A daily view on Internet Attacks > https://www.ecsirt.net/sensornet > _________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
In reply to this post by Eleftheria Petraki
Eleftheria Petraki wrote:
>> > Hi all, Hello Eleftheria, >> > I have generated a self signed root certification authority and an >> > intermediate certification authority signed by the root CA using >> openssl >> > 0.9.7g. The intermediate CA signed an apache 1 with mod-ssl SSL server >> > certificate. Both the root and intermediate PEM certificates are placed >> > in the file ca.crt pointed by the directive SSLCACertificateFile. >> >> How about putting the intermediate CA-certificate in the file >> ca.chain and let the directive SSLCertificateChainFile point >> to it? SSLCACertificateFile is IMHO only for accepted CAs >> for client authentication (so no wonder the server does not >> accept the connection request, your browser does not have >> an according client certificate). > > Unfortunately it is not working. IE still cannot display the page and > Mozilla causes the following entry in error_log: > [Mon Jun 13 16:42:57 2005] [error] OpenSSL: error:14094412:SSL > routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN > in certificate not server name or identical to CA!?] do an openssl s_client -connect server:443 -CAfile root.crt (root.crt should only contain the root certificate...) If this prints somewhere the verify error message "unable to get local issuer certificate" the server doesn't send the intermediate CA cert. (this is an error, only the root cert may be omitted...) You should insert the intermediate CE cert in the CA cert file the directive SSLCertificateChainFile points to... > But CN is identical to server name and openssl verifies correctly the > server certificate. If both root and intermediate CA certificates are > imported in Mozilla the page is opened without problems. However the > same thing does not work in IE - the page cannot be displayed. I am > realy confused. In your constellation s_client should print an certificate chain with 2 certificates in it... * the root cert (from the CAfile) and * the intermediate cert (provided by the server) Bye Goetz -- DMCA: The greed of the few outweighs the freedom of the many |
Hi all,
with the intermediate CA in the SSLCertificateChainFile the openssl s_client -connect ..., returns verify code: 0 (ok). The certificate chain reports two certificates, the server and the intermediate CA certificate with the correct issuers, while just after CONNECTED(0000004) I can see all the certificates in the chain included the root CA. However I still cannot see the page with IE even though the root CA certificate is correctly imported. Mozilla works only if both root and intermediate certificates are imported. I am going to abandon this scheme and use only the root CA. Thank you for your answers... >From: Goetz Babin-Ebell <[hidden email]> >Reply-To: [hidden email] >To: [hidden email] >Subject: Re: Certificate chain problem >Date: Mon, 13 Jun 2005 22:40:10 +0200 > >Eleftheria Petraki wrote: >>> > Hi all, >Hello Eleftheria, > >>> > I have generated a self signed root certification authority and an >>> > intermediate certification authority signed by the root CA using >>>openssl >>> > 0.9.7g. The intermediate CA signed an apache 1 with mod-ssl SSL server >>> > certificate. Both the root and intermediate PEM certificates are >>>placed >>> > in the file ca.crt pointed by the directive SSLCACertificateFile. >>> >>>How about putting the intermediate CA-certificate in the file >>>ca.chain and let the directive SSLCertificateChainFile point >>>to it? SSLCACertificateFile is IMHO only for accepted CAs >>>for client authentication (so no wonder the server does not >>>accept the connection request, your browser does not have >>>an according client certificate). >> >>Unfortunately it is not working. IE still cannot display the page and >>Mozilla causes the following entry in error_log: >>[Mon Jun 13 16:42:57 2005] [error] OpenSSL: error:14094412:SSL >>routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN in >>certificate not server name or identical to CA!?] > >Perhaps you should start with a more basic approach: > >do an >openssl s_client -connect server:443 -CAfile root.crt > >(root.crt should only contain the root certificate...) > >If this prints somewhere the verify error message >"unable to get local issuer certificate" the server doesn't send >the intermediate CA cert. >(this is an error, only the root cert may be omitted...) > >You should insert the intermediate CE cert in the CA cert file >the directive SSLCertificateChainFile points to... > >>But CN is identical to server name and openssl verifies correctly the >>server certificate. If both root and intermediate CA certificates are >>imported in Mozilla the page is opened without problems. However the same >>thing does not work in IE - the page cannot be displayed. I am realy >>confused. > >In your constellation s_client should print an certificate chain with >2 certificates in it... >* the root cert (from the CAfile) and >* the intermediate cert (provided by the server) > > >Bye > >Goetz > >-- >DMCA: The greed of the few outweighs the freedom of the many ><< smime.p7s >> _________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
Eleftheria Petraki wrote:
> Hi all, Hello Elefteria, > with the intermediate CA in the SSLCertificateChainFile the openssl > s_client -connect ..., > returns verify code: 0 (ok). The certificate chain reports two > certificates, the server and the intermediate CA certificate with the > correct issuers, while just after CONNECTED(0000004) I can see all the > certificates in the chain included the root CA. Beware: The certificate verify code in s_client has is still room for improvement. So s_client having an verify code 0 doesn't say that the certificate chain is correct and complete... > However I still cannot see the page with IE even though the root CA > certificate is correctly imported. Mozilla works only if both root and > intermediate certificates are imported. ??? Strange. I remember doing a verify test with an certificate chain with root and intermediate CA. And AFAIR Mozilla had no problem with only the root known. I think for chaining to work, the CA certificates must be version 3 certificates with basicConstrains- and keyUsage- extensions set. Could you send me the certificates ? Bye Goetz -- DMCA: The greed of the few outweighs the freedom of the many |
In reply to this post by Goetz Babin-Ebell
SUMMARY:
The problem was that the root CA had a pathlen=0, so the intermediate CA could not be recognized. Setting pathlen=1 solved it. Many thanks to Goetz for his help. >From: Goetz Babin-Ebell <[hidden email]> >Reply-To: [hidden email] >To: [hidden email] >Subject: Re: Certificate chain problem >Date: Mon, 13 Jun 2005 22:40:10 +0200 > >Eleftheria Petraki wrote: >>> > Hi all, >Hello Eleftheria, > >>> > I have generated a self signed root certification authority and an >>> > intermediate certification authority signed by the root CA using >>>openssl >>> > 0.9.7g. The intermediate CA signed an apache 1 with mod-ssl SSL server >>> > certificate. Both the root and intermediate PEM certificates are >>>placed >>> > in the file ca.crt pointed by the directive SSLCACertificateFile. >>> >>>How about putting the intermediate CA-certificate in the file >>>ca.chain and let the directive SSLCertificateChainFile point >>>to it? SSLCACertificateFile is IMHO only for accepted CAs >>>for client authentication (so no wonder the server does not >>>accept the connection request, your browser does not have >>>an according client certificate). >> >>Unfortunately it is not working. IE still cannot display the page and >>Mozilla causes the following entry in error_log: >>[Mon Jun 13 16:42:57 2005] [error] OpenSSL: error:14094412:SSL >>routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN in >>certificate not server name or identical to CA!?] > >Perhaps you should start with a more basic approach: > >do an >openssl s_client -connect server:443 -CAfile root.crt > >(root.crt should only contain the root certificate...) > >If this prints somewhere the verify error message >"unable to get local issuer certificate" the server doesn't send >the intermediate CA cert. >(this is an error, only the root cert may be omitted...) > >You should insert the intermediate CE cert in the CA cert file >the directive SSLCertificateChainFile points to... > >>But CN is identical to server name and openssl verifies correctly the >>server certificate. If both root and intermediate CA certificates are >>imported in Mozilla the page is opened without problems. However the same >>thing does not work in IE - the page cannot be displayed. I am realy >>confused. > >In your constellation s_client should print an certificate chain with >2 certificates in it... >* the root cert (from the CAfile) and >* the intermediate cert (provided by the server) > > >Bye > >Goetz > >-- >DMCA: The greed of the few outweighs the freedom of the many ><< smime.p7s >> _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
Free forum by Nabble | Edit this page |