Certificates

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
28 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: Certificates

Goetz Babin-Ebell
Mark wrote:

>> You point at it in the context before the handshake. You can either
>> point at a dir full of digest named ones or a specific root cert file.
>
> Strangely I tried the former which did not work.  The latter method
> appears to work fine (it connected and exchanged data anyway).

did you a c_rehash <ca_directory> ?

with <ca_directory> being the path to the directory
with the CA file(s) ?

Naturally you have to set the directory in openssl with
the -CApath command line option and the
SSL_CTX_load_verify_locations(ctx, NULL, CApath)
function call...

Bye

Goetz

--
DMCA: The greed of the few outweighs the freedom of the many

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Certificates

Mark-62
In reply to this post by Mark-62
Hi Goetz,

> >> You point at it in the context before the handshake. You can either
> >> point at a dir full of digest named ones or a specific
> root cert file.
> >
> > Strangely I tried the former which did not work.  The latter method
> > appears to work fine (it connected and exchanged data anyway).
>
> did you a c_rehash <ca_directory> ?
>
> with <ca_directory> being the path to the directory
> with the CA file(s) ?

Yes.

> Naturally you have to set the directory in openssl with
> the -CApath command line option and the
> SSL_CTX_load_verify_locations(ctx, NULL, CApath)
> function call...

I used SSL_CTX_load_verify_locations(ctx, NULL, CApath)
but did not use the -CApath option anywhere. Where should
that be used?

Cheers, Mark


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Certificates

Goetz Babin-Ebell
Mark wrote:
> Hi Goetz,
Hello Mark,

>>>> You point at it in the context before the handshake. You can either
>>>> point at a dir full of digest named ones or a specific
>> root cert file.
>>> Strangely I tried the former which did not work.  The latter method
>>> appears to work fine (it connected and exchanged data anyway).
>> did you a c_rehash <ca_directory> ?
>>
>> with <ca_directory> being the path to the directory
>> with the CA file(s) ?
>
> Yes.
Strange.

>> Naturally you have to set the directory in openssl with
>> the -CApath command line option and the
>> SSL_CTX_load_verify_locations(ctx, NULL, CApath)
>> function call...
>
> I used SSL_CTX_load_verify_locations(ctx, NULL, CApath)
> but did not use the -CApath option anywhere. Where should
> that be used?

In the OpenSSL binary...

But since you are using an own program, this doesn't matter.

Could you do an
c_rehash <ca_directory>
openssl verify -CApath <ca_directory> cert_to_check

If this doesn't work, but a
cat <ca_directory>/*.pem >ca.pem
openssl verify -CAfile ca.pem cert_to_check
works,
there is something really strange with your system ...

Bye

Goetz

--
DMCA: The greed of the few outweighs the freedom of the many

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Certificates

Mark-62
In reply to this post by Mark-62
Hi Goetz,

> But since you are using an own program, this doesn't matter.
>
> Could you do an
> c_rehash <ca_directory>
> openssl verify -CApath <ca_directory> cert_to_check

error 20 at 0 depth lookup:unable to get local issuer certificate
 
> If this doesn't work, but a
> cat <ca_directory>/*.pem >ca.pem
> openssl verify -CAfile ca.pem cert_to_check
> works, there is something really strange with your system ...

Same error:

error 20 at 0 depth lookup:unable to get local issuer certificate

Cheers, Mark
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Certificates

Goetz Babin-Ebell
Mark wrote:

> Hi Goetz,
>
>> But since you are using an own program, this doesn't matter.
>>
>> Could you do an
>> c_rehash <ca_directory>
>> openssl verify -CApath <ca_directory> cert_to_check
>
> error 20 at 0 depth lookup:unable to get local issuer certificate
>  
>> If this doesn't work, but a
>> cat <ca_directory>/*.pem >ca.pem
>> openssl verify -CAfile ca.pem cert_to_check
>> works, there is something really strange with your system ...
>
> Same error:
>
> error 20 at 0 depth lookup:unable to get local issuer certificate
This indicates that your CA certificate is not in any of the *.pem
files in your CA directory.

if an
openssl verify -CAfile <your_ca_file> cert_to_check
succeeds, then the CA cert is int the file but not
in the CA dir (at least not with the suffix .pem).

Is it possible you stored the ca cert with an other suffix
(like .crt) ?

Bye

Goetz

--
DMCA: The greed of the few outweighs the freedom of the many

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Certificates

Mark-62
In reply to this post by Mark-62
Hi Goetz,

> >> cat <ca_directory>/*.pem >ca.pem
> >> openssl verify -CAfile ca.pem cert_to_check
> >> works, there is something really strange with your system ...
> >
> > Same error:
> >
> > error 20 at 0 depth lookup:unable to get local issuer certificate
>
> This indicates that your CA certificate is not in any of the *.pem
> files in your CA directory.
>
> if an
> openssl verify -CAfile <your_ca_file> cert_to_check
> succeeds, then the CA cert is int the file but not
> in the CA dir (at least not with the suffix .pem).
>
> Is it possible you stored the ca cert with an other suffix
> (like .crt) ?

Yes.  It is stored with the filename "root.cert".

My config file seems to point to the correct file:

certificate             = $dir/certs/root.cert

Best Regards,
Mark
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Certificates

Goetz Babin-Ebell
Mark wrote:

>>>> cat <ca_directory>/*.pem >ca.pem
>>>> openssl verify -CAfile ca.pem cert_to_check
>>>> works, there is something really strange with your system ...
>>> Same error:
>>>
>>> error 20 at 0 depth lookup:unable to get local issuer certificate
>> This indicates that your CA certificate is not in any of the *.pem
>> files in your CA directory.
>>
>> if an
>> openssl verify -CAfile <your_ca_file> cert_to_check
>> succeeds, then the CA cert is int the file but not
>> in the CA dir (at least not with the suffix .pem).
>>
>> Is it possible you stored the ca cert with an other suffix
>> (like .crt) ?
>
> Yes.  It is stored with the filename "root.cert".
At least my c_rehash expects CA certs to have the suffix .pem.
And since the -CApath param needs hashes generated by c_rehash
to find the certificates, it will fail...

> My config file seems to point to the correct file:
>
> certificate             = $dir/certs/root.cert

doesn't help with the -CApath extension
(and the SSL_CTX_load_verify_locations() function)...

Fix the extension to .pem, run c_rehash and verify should
succeed...

Bye

Goetz

--
DMCA: The greed of the few outweighs the freedom of the many

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Certificates

Mark-62
In reply to this post by Mark-62
Hi Goetz,

> At least my c_rehash expects CA certs to have the suffix .pem.
> And since the -CApath param needs hashes generated by c_rehash
> to find the certificates, it will fail...
>
> Fix the extension to .pem, run c_rehash and verify should
> succeed...

Thanks. That does it :-)

Cheers,
   Mark
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
12