Creating CA certificates

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Creating CA certificates

Abhishek Kane
Hi,

I am using following steps to create Ca & server certificate :

1. Create CA certificate
shell> openssl genrsa 2048 > ca-key.pem
shell> openssl req -new -x509 -nodes -days 1000 \
-key ca-key.pem > ca-cert.pem


2. Create server certificate
shell> openssl req -newkey rsa:2048 -days 1000 \
-nodes -keyout server-key.pem > server-req.pem
shell> openssl x509 -req -in server-req.pem -days 1000 \
-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem


Now, the certificates get created without any error. But when i run openssl s_server i get following error :

unable to load server certificate private key file
4174:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY

Are the steps correct?

Thanks,
Kane
Reply | Threaded
Open this post in threaded view
|

Re: Creating CA certificates

vishal saraswat
Hi,

To my surprise. I tried the same steps and I am getting a similar kind of error.

Please help me as well, if you get a solution.

Thanks and regards,
Vishal

On Tue, Aug 18, 2009 at 1:32 AM, Abhishek Kane <[hidden email]> wrote:
Hi,

I am using following steps to create Ca & server certificate :

1. Create CA certificate
shell> openssl genrsa 2048 > ca-key.pem
shell> openssl req -new -x509 -nodes -days 1000 \
-key ca-key.pem > ca-cert.pem


2. Create server certificate
shell> openssl req -newkey rsa:2048 -days 1000 \
-nodes -keyout server-key.pem > server-req.pem
shell> openssl x509 -req -in server-req.pem -days 1000 \
-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem


Now, the certificates get created without any error. But when i run openssl s_server i get following error :

unable to load server certificate private key file
4174:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY

Are the steps correct?

Thanks,
Kane

Reply | Threaded
Open this post in threaded view
|

Re: Creating CA certificates

Serge Fonville
The request is signed with the ca private key.
What command do you use when you start the s_server
 
HTH
 
Regards,
 
Serge Fonville

On Tue, Aug 18, 2009 at 10:38 AM, vishal saraswat <[hidden email]> wrote:
Hi,

To my surprise. I tried the same steps and I am getting a similar kind of error.

Please help me as well, if you get a solution.

Thanks and regards,
Vishal


On Tue, Aug 18, 2009 at 1:32 AM, Abhishek Kane <[hidden email]> wrote:
Hi,

I am using following steps to create Ca & server certificate :

1. Create CA certificate
shell> openssl genrsa 2048 > ca-key.pem
shell> openssl req -new -x509 -nodes -days 1000 \
-key ca-key.pem > ca-cert.pem


2. Create server certificate
shell> openssl req -newkey rsa:2048 -days 1000 \
-nodes -keyout server-key.pem > server-req.pem
shell> openssl x509 -req -in server-req.pem -days 1000 \
-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem


Now, the certificates get created without any error. But when i run openssl s_server i get following error :

unable to load server certificate private key file
4174:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY

Are the steps correct?

Thanks,
Kane


Reply | Threaded
Open this post in threaded view
|

Re: Creating CA certificates

Serge Fonville
I forgot,
 
I used this as examples
 
Also, googling on openssl certificate authority seems to belp

On Tue, Aug 18, 2009 at 10:51 AM, Serge Fonville <[hidden email]> wrote:
The request is signed with the ca private key.
What command do you use when you start the s_server
 
HTH
 
Regards,
 
Serge Fonville

On Tue, Aug 18, 2009 at 10:38 AM, vishal saraswat <[hidden email]> wrote:
Hi,

To my surprise. I tried the same steps and I am getting a similar kind of error.

Please help me as well, if you get a solution.

Thanks and regards,
Vishal


On Tue, Aug 18, 2009 at 1:32 AM, Abhishek Kane <[hidden email]> wrote:
Hi,

I am using following steps to create Ca & server certificate :

1. Create CA certificate
shell> openssl genrsa 2048 > ca-key.pem
shell> openssl req -new -x509 -nodes -days 1000 \
-key ca-key.pem > ca-cert.pem


2. Create server certificate
shell> openssl req -newkey rsa:2048 -days 1000 \
-nodes -keyout server-key.pem > server-req.pem
shell> openssl x509 -req -in server-req.pem -days 1000 \
-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem


Now, the certificates get created without any error. But when i run openssl s_server i get following error :

unable to load server certificate private key file
4174:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY

Are the steps correct?

Thanks,
Kane



Reply | Threaded
Open this post in threaded view
|

Re: Creating CA certificates

vishal saraswat
Hi Serge,

I followed this link but landed into the same problem.

I use the following commands to start the server and the client :

Server:
openssl s_server -accept <port number> -cert <certificate I create>

Client:
openssl s_client -connect localhost:<port number>

I was wondering, do I need to do anything specific for client certificate.

Thanks a lot,

-Vishal

On Tue, Aug 18, 2009 at 1:53 AM, Serge Fonville <[hidden email]> wrote:
I forgot,
 
I used this as examples
 
Also, googling on openssl certificate authority seems to belp

On Tue, Aug 18, 2009 at 10:51 AM, Serge Fonville <[hidden email]> wrote:
The request is signed with the ca private key.
What command do you use when you start the s_server
 
HTH
 
Regards,
 
Serge Fonville

On Tue, Aug 18, 2009 at 10:38 AM, vishal saraswat <[hidden email]> wrote:
Hi,

To my surprise. I tried the same steps and I am getting a similar kind of error.

Please help me as well, if you get a solution.

Thanks and regards,
Vishal


On Tue, Aug 18, 2009 at 1:32 AM, Abhishek Kane <[hidden email]> wrote:
Hi,

I am using following steps to create Ca & server certificate :

1. Create CA certificate
shell> openssl genrsa 2048 > ca-key.pem
shell> openssl req -new -x509 -nodes -days 1000 \
-key ca-key.pem > ca-cert.pem


2. Create server certificate
shell> openssl req -newkey rsa:2048 -days 1000 \
-nodes -keyout server-key.pem > server-req.pem
shell> openssl x509 -req -in server-req.pem -days 1000 \
-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem


Now, the certificates get created without any error. But when i run openssl s_server i get following error :

unable to load server certificate private key file
4174:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY

Are the steps correct?

Thanks,
Kane




Reply | Threaded
Open this post in threaded view
|

Re: Creating CA certificates

sandeep kiran p
You should also provide the server's private key to the "openssl s_server" command. From above, I see that your server's private key is server-key.pem, therefore your command should be something as,

openssl s_server -accept <port number> -cert <certificate I create> -key server-key.pem

Here server-key.pem would be your server's private key file.

Thanks
Sandeep

On Tue, Aug 18, 2009 at 2:36 AM, vishal saraswat <[hidden email]> wrote:
Hi Serge,

I followed this link but landed into the same problem.

I use the following commands to start the server and the client :

Server:
openssl s_server -accept <port number> -cert <certificate I create>

Client:
openssl s_client -connect localhost:<port number>

I was wondering, do I need to do anything specific for client certificate.

Thanks a lot,

-Vishal


On Tue, Aug 18, 2009 at 1:53 AM, Serge Fonville <[hidden email]> wrote:
I forgot,
 
I used this as examples
 
Also, googling on openssl certificate authority seems to belp

On Tue, Aug 18, 2009 at 10:51 AM, Serge Fonville <[hidden email]> wrote:
The request is signed with the ca private key.
What command do you use when you start the s_server
 
HTH
 
Regards,
 
Serge Fonville

On Tue, Aug 18, 2009 at 10:38 AM, vishal saraswat <[hidden email]> wrote:
Hi,

To my surprise. I tried the same steps and I am getting a similar kind of error.

Please help me as well, if you get a solution.

Thanks and regards,
Vishal


On Tue, Aug 18, 2009 at 1:32 AM, Abhishek Kane <[hidden email]> wrote:
Hi,

I am using following steps to create Ca & server certificate :

1. Create CA certificate
shell> openssl genrsa 2048 > ca-key.pem
shell> openssl req -new -x509 -nodes -days 1000 \
-key ca-key.pem > ca-cert.pem


2. Create server certificate
shell> openssl req -newkey rsa:2048 -days 1000 \
-nodes -keyout server-key.pem > server-req.pem
shell> openssl x509 -req -in server-req.pem -days 1000 \
-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem


Now, the certificates get created without any error. But when i run openssl s_server i get following error :

unable to load server certificate private key file
4174:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY

Are the steps correct?

Thanks,
Kane





Reply | Threaded
Open this post in threaded view
|

Re: Creating CA certificates

Goetz Babin-Ebell
In reply to this post by vishal saraswat
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

vishal saraswat schrieb:
| Hi Serge,
Hello cishal,

| I use the following commands to start the server and the client :
|
| Server:
| openssl s_server -accept /<port number>/ -cert /<certificate I create>/
You do know that the server needs the private key and the certifivate to
work ?
You only set the certificate file name.


Goetz

- --
DMCA: The greed of the few outweighs the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKio382iGqZUF3qPYRAnPmAJ4gQQvSBW0ATCqtguIkU26bBjYxbQCdHe+8
8UhhAYQqMkeSZi3JkvF0M7Y=
=Gikv
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Creating CA certificates

Abhishek Kane
Thanks guys,
All these comments helped a lot ! Things are working for me now.

On Tue, Aug 18, 2009 at 4:48 PM, Goetz Babin-Ebell <[hidden email]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

vishal saraswat schrieb:
| Hi Serge,
Hello cishal,


| I use the following commands to start the server and the client :
|
| Server:
| openssl s_server -accept /<port number>/ -cert /<certificate I create>/
You do know that the server needs the private key and the certifivate to
work ?
You only set the certificate file name.


Goetz

- --
DMCA: The greed of the few outweighs the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKio382iGqZUF3qPYRAnPmAJ4gQQvSBW0ATCqtguIkU26bBjYxbQCdHe+8
8UhhAYQqMkeSZi3JkvF0M7Y=
=Gikv
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]



--
No defeat is final; until u stop fighting.
- AGK

Reply | Threaded
Open this post in threaded view
|

Re: Creating CA certificates

vishal saraswat
In reply to this post by Goetz Babin-Ebell
Hi all,

I am sorry, I forgot to tell you that the final PEM I create is composed of key and certificate both.

cat server_key.pem server server_cert.pem > server.pem

I read on some blogs that some server require both to be in one file that why to be on safer side I started following this practice. I hope its fine.

Now I suppose that one a client is successfully connected it should return me code as 0 and an OK message. Right? But I get return value as 7(Certificate Signature Failure), 21(Unable to verify the first certificate.)

Are we on the same pitch?

Thanks a lot.

-Vishal

p.s. - Can I connect multiple s_client to a single s_server ?

On Tue, Aug 18, 2009 at 4:18 AM, Goetz Babin-Ebell <[hidden email]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

vishal saraswat schrieb:
| Hi Serge,
Hello cishal,


| I use the following commands to start the server and the client :
|
| Server:
| openssl s_server -accept /<port number>/ -cert /<certificate I create>/
You do know that the server needs the private key and the certifivate to
work ?
You only set the certificate file name.


Goetz

- --
DMCA: The greed of the few outweighs the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKio382iGqZUF3qPYRAnPmAJ4gQQvSBW0ATCqtguIkU26bBjYxbQCdHe+8
8UhhAYQqMkeSZi3JkvF0M7Y=
=Gikv
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Creating CA certificates

Abhishek Kane
Well, I am also getting same verify error (7), but the connection does not break.


On Tue, Aug 18, 2009 at 5:13 PM, vishal saraswat <[hidden email]> wrote:
Hi all,

I am sorry, I forgot to tell you that the final PEM I create is composed of key and certificate both.

cat server_key.pem server server_cert.pem > server.pem

I read on some blogs that some server require both to be in one file that why to be on safer side I started following this practice. I hope its fine.

Now I suppose that one a client is successfully connected it should return me code as 0 and an OK message. Right? But I get return value as 7(Certificate Signature Failure), 21(Unable to verify the first certificate.)

Are we on the same pitch?

Thanks a lot.

-Vishal

p.s. - Can I connect multiple s_client to a single s_server ?


On Tue, Aug 18, 2009 at 4:18 AM, Goetz Babin-Ebell <[hidden email]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

vishal saraswat schrieb:
| Hi Serge,
Hello cishal,


| I use the following commands to start the server and the client :
|
| Server:
| openssl s_server -accept /<port number>/ -cert /<certificate I create>/
You do know that the server needs the private key and the certifivate to
work ?
You only set the certificate file name.


Goetz

- --
DMCA: The greed of the few outweighs the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKio382iGqZUF3qPYRAnPmAJ4gQQvSBW0ATCqtguIkU26bBjYxbQCdHe+8
8UhhAYQqMkeSZi3JkvF0M7Y=
=Gikv
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: Creating CA certificates

sandeep kiran p
In reply to this post by vishal saraswat
Can you send the commands that you are using to run s_server and s_client?

On Tue, Aug 18, 2009 at 4:43 AM, vishal saraswat <[hidden email]> wrote:
Hi all,

I am sorry, I forgot to tell you that the final PEM I create is composed of key and certificate both.

cat server_key.pem server server_cert.pem > server.pem

I read on some blogs that some server require both to be in one file that why to be on safer side I started following this practice. I hope its fine.

Now I suppose that one a client is successfully connected it should return me code as 0 and an OK message. Right? But I get return value as 7(Certificate Signature Failure), 21(Unable to verify the first certificate.)

Are we on the same pitch?

Thanks a lot.

-Vishal

p.s. - Can I connect multiple s_client to a single s_server ?


On Tue, Aug 18, 2009 at 4:18 AM, Goetz Babin-Ebell <[hidden email]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

vishal saraswat schrieb:
| Hi Serge,
Hello cishal,


| I use the following commands to start the server and the client :
|
| Server:
| openssl s_server -accept /<port number>/ -cert /<certificate I create>/
You do know that the server needs the private key and the certifivate to
work ?
You only set the certificate file name.


Goetz

- --
DMCA: The greed of the few outweighs the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKio382iGqZUF3qPYRAnPmAJ4gQQvSBW0ATCqtguIkU26bBjYxbQCdHe+8
8UhhAYQqMkeSZi3JkvF0M7Y=
=Gikv
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: Creating CA certificates

Goetz Babin-Ebell
In reply to this post by vishal saraswat
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

vishal saraswat wrote:
| Hi all,
Hello vishal,

| I am sorry, I forgot to tell you that the final PEM I create is composed
| of key and certificate both.
|
| cat server_key.pem server server_cert.pem > server.pem

| Now I suppose that one a client is successfully connected it should
| return me code as 0 and an OK message. Right? But I get return value as
| 7(Certificate Signature Failure), 21(Unable to verify the first
| certificate.)

Does the client have the CA certificate that signed the server certificate ?

If not (and it seems to that it hasn't) it can't verify the server
certificate.


Goetz

- --
DMCA: The greed of the few outweighs the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKjciT2iGqZUF3qPYRAruIAJ9twUzXhu1BwbVHceBMmpeQTqlX7wCggjKv
Fep+kdpcRucq7clenshexMw=
=ktZh
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Creating CA certificates

Dave Thompson-4
In reply to this post by vishal saraswat
> From: [hidden email] On Behalf Of vishal saraswat
> Sent: Tuesday, 18 August, 2009 07:44

> I am sorry, I forgot to tell you that the final PEM I create
> is composed of key and certificate both.
> cat server_key.pem server server_cert.pem > server.pem
> I read on some blogs that some server require both to be in one file

> that why to be on safer side I started following this practice. I hope its
fine.

It's OK. OpenSSL commandline does not require this, but does allow it.
       
> Now I suppose that one a client is successfully connected
> it should return me code as 0 and an OK message. Right?
> But I get return value as 7(Certificate Signature Failure),
> 21(Unable to verify the first certificate.)

Signature failure? Not just "unable to get issuer"?

To verify, any client does need to have available the CA cert
that signed the cert the server uses. In the general case with
the client on a different machine than the server this must be
a copy, and thus you need to make sure the right file (version)
gets copied, but for loopback testing you can use the same file(s).

s_client supports two ways: a single file containing either one CAcert
or several concatenated, specified with -CAfile; or a directory specified
by -CApath that contains a file for each CA cert with its filename or
a symlink to it using the hash of the cert's name, allowing lookup.

In your earlier email s_client specified neither of these and should
have gotten 20 unable to get local issuer cert (and 21 unable to verify).
I think the only way you should get signature failure is if
you give s_client a CAcert which is for the correct CA name
but has a different public key. Perhaps, if you've tried this
(sort of) test several times, the file from an earlier iteration.

> p.s. - Can I connect multiple s_client to a single s_server ?
       
In sequence, but not concurrently. For that you need  a real server. <G>
       


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Creating CA certificates

vishal saraswat
Hi all,

I am still getting the same error:
7(Certificate Signature Failure)

@Sandeep : I am using following commands for server and client respectively.

openssl s_server -accept 9000 -cert ~/certs/server.pem
openssl s_client -connect localhost:9000

@Goetz - Well, I hope I am doing it. But maybe I dont get your point quite clearly. This is what I do(names changed)
$> openssl ca -config openssl.my.cnf -policy policy_anything -out certs/server.crt -infiles server.csr

I hope this is enough. But I dont provide any such argument of certificates at the client end. Do I need to? However initially when I
encountered this error I created a several certificate for client. Using the same procedure the way I created the server certificate.

@Dave : I think you have a same point as Goetz. I think we all are on the same pitch but something somewhere is definitely wrong.

I am sorry that I took so much of time to reply. I was writing a small code to test the same client/server communication. But no good.

Thank you everyone,
-Vishal


On Thu, Aug 20, 2009 at 7:56 PM, Dave Thompson <[hidden email]> wrote:
>       From: [hidden email] On Behalf Of vishal saraswat
>       Sent: Tuesday, 18 August, 2009 07:44

>       I am sorry, I forgot to tell you that the final PEM I create
> is composed of key and certificate both.
>       cat server_key.pem server server_cert.pem > server.pem
>       I read on some blogs that some server require both to be in one file

> that why to be on safer side I started following this practice. I hope its
fine.

It's OK. OpenSSL commandline does not require this, but does allow it.

>       Now I suppose that one a client is successfully connected
> it should return me code as 0 and an OK message. Right?
> But I get return value as 7(Certificate Signature Failure),
> 21(Unable to verify the first certificate.)

Signature failure? Not just "unable to get issuer"?

To verify, any client does need to have available the CA cert
that signed the cert the server uses. In the general case with
the client on a different machine than the server this must be
a copy, and thus you need to make sure the right file (version)
gets copied, but for loopback testing you can use the same file(s).

s_client supports two ways: a single file containing either one CAcert
or several concatenated, specified with -CAfile; or a directory specified
by -CApath that contains a file for each CA cert with its filename or
a symlink to it using the hash of the cert's name, allowing lookup.

In your earlier email s_client specified neither of these and should
have gotten 20 unable to get local issuer cert (and 21 unable to verify).
I think the only way you should get signature failure is if
you give s_client a CAcert which is for the correct CA name
but has a different public key. Perhaps, if you've tried this
(sort of) test several times, the file from an earlier iteration.

>       p.s. - Can I connect multiple s_client to a single s_server ?

In sequence, but not concurrently. For that you need  a real server. <G>



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Creating CA certificates

vishal saraswat
Hi all,

The problem has been solved adding -CAfile to the s_client did the trick.

Thanks alot everyone for the help.
-Vishal

On Wed, Aug 26, 2009 at 10:59 AM, vishal saraswat <[hidden email]> wrote:
Hi all,

I am still getting the same error:
7(Certificate Signature Failure)

@Sandeep : I am using following commands for server and client respectively.

openssl s_server -accept 9000 -cert ~/certs/server.pem
openssl s_client -connect localhost:9000

@Goetz - Well, I hope I am doing it. But maybe I dont get your point quite clearly. This is what I do(names changed)
$> openssl ca -config openssl.my.cnf -policy policy_anything -out certs/server.crt -infiles server.csr

I hope this is enough. But I dont provide any such argument of certificates at the client end. Do I need to? However initially when I
encountered this error I created a several certificate for client. Using the same procedure the way I created the server certificate.

@Dave : I think you have a same point as Goetz. I think we all are on the same pitch but something somewhere is definitely wrong.

I am sorry that I took so much of time to reply. I was writing a small code to test the same client/server communication. But no good.

Thank you everyone,
-Vishal


On Thu, Aug 20, 2009 at 7:56 PM, Dave Thompson <[hidden email]> wrote:
>       From: [hidden email] On Behalf Of vishal saraswat
>       Sent: Tuesday, 18 August, 2009 07:44

>       I am sorry, I forgot to tell you that the final PEM I create
> is composed of key and certificate both.
>       cat server_key.pem server server_cert.pem > server.pem
>       I read on some blogs that some server require both to be in one file

> that why to be on safer side I started following this practice. I hope its
fine.

It's OK. OpenSSL commandline does not require this, but does allow it.

>       Now I suppose that one a client is successfully connected
> it should return me code as 0 and an OK message. Right?
> But I get return value as 7(Certificate Signature Failure),
> 21(Unable to verify the first certificate.)

Signature failure? Not just "unable to get issuer"?

To verify, any client does need to have available the CA cert
that signed the cert the server uses. In the general case with
the client on a different machine than the server this must be
a copy, and thus you need to make sure the right file (version)
gets copied, but for loopback testing you can use the same file(s).

s_client supports two ways: a single file containing either one CAcert
or several concatenated, specified with -CAfile; or a directory specified
by -CApath that contains a file for each CA cert with its filename or
a symlink to it using the hash of the cert's name, allowing lookup.

In your earlier email s_client specified neither of these and should
have gotten 20 unable to get local issuer cert (and 21 unable to verify).
I think the only way you should get signature failure is if
you give s_client a CAcert which is for the correct CA name
but has a different public key. Perhaps, if you've tried this
(sort of) test several times, the file from an earlier iteration.

>       p.s. - Can I connect multiple s_client to a single s_server ?

In sequence, but not concurrently. For that you need  a real server. <G>



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]