problem with converting pfx to pem and Verisign Intermediate CA

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

problem with converting pfx to pem and Verisign Intermediate CA

brianmas
hello list,
We're using sslproxy (http://sourceforge.net/projects/sslproxy/) to handle https
requests to our server and it's come to my attention Firefox users (non-IE users
I assume really) get a message about not being able to verify the authenticity
of the certificate when they sign onto our sites due to Verisign having a newer
Intermediate CA. I was given the "pfx" file which I converted to pem with the
set of commands below:

openssl pkcs12 -in wf_export_01062006.pfx -out wfkey030106.pem
openssl rsa -in wfkey030106.pem -out wfcert030106.pem
openssl x509 -in wfkey030106.pem >>wfcert030106.pem

Verisign told us to update the intermediate cert with the one here:
http://www.verisign.com/support/install2/intermediate.html but when I try to
replace the 'BEGIN CERTIFICATE' section in the files above I get errors like
this:

error reading private key: error"..., 111error reading private key:
error:0B080074:x509 certificate routines:X509_check_private_key:key values
mismatch

So my question is using the new Intermediate CA and the pxf file above how can I
wind up with a working .pem file?

Thank you,
brian

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: problem with converting pfx to pem and Verisign Intermediate CA

Dr. Stephen Henson
On Mon, Mar 06, 2006, [hidden email] wrote:

> hello list,
> We're using sslproxy (http://sourceforge.net/projects/sslproxy/) to handle https
> requests to our server and it's come to my attention Firefox users (non-IE users
> I assume really) get a message about not being able to verify the authenticity
> of the certificate when they sign onto our sites due to Verisign having a newer
> Intermediate CA. I was given the "pfx" file which I converted to pem with the
> set of commands below:
>
> openssl pkcs12 -in wf_export_01062006.pfx -out wfkey030106.pem
> openssl rsa -in wfkey030106.pem -out wfcert030106.pem
> openssl x509 -in wfkey030106.pem >>wfcert030106.pem
>
> Verisign told us to update the intermediate cert with the one here:
> http://www.verisign.com/support/install2/intermediate.html but when I try to
> replace the 'BEGIN CERTIFICATE' section in the files above I get errors like
> this:
>
> error reading private key: error"..., 111error reading private key:
> error:0B080074:x509 certificate routines:X509_check_private_key:key values
> mismatch
>
> So my question is using the new Intermediate CA and the pxf file above how can I
> wind up with a working .pem file?
>

Have a look in the pem file.

If you have more than one certificate (the stuff with BEGIN CERTIFICATE and
END CERTIFICATE ) delete any after the first.

Then append the intermediate certificate data to the end of the file.

You can use the OpenSSL s_client utility to check it works OK.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: problem with converting pfx to pem and Verisign Intermediate CA

brianmas
Quoting "Dr. Stephen Henson" <[hidden email]>:

> On Mon, Mar 06, 2006, [hidden email] wrote:
>
> > hello list,
> > We're using sslproxy (http://sourceforge.net/projects/sslproxy/) to handle
> https
> > requests to our server and it's come to my attention Firefox users (non-IE
> users
> > I assume really) get a message about not being able to verify the
> authenticity
> > of the certificate when they sign onto our sites due to Verisign having a
> newer
> > Intermediate CA. I was given the "pfx" file which I converted to pem with
> the
> > set of commands below:
> >
> > openssl pkcs12 -in wf_export_01062006.pfx -out wfkey030106.pem
> > openssl rsa -in wfkey030106.pem -out wfcert030106.pem
> > openssl x509 -in wfkey030106.pem >>wfcert030106.pem
> >
> > Verisign told us to update the intermediate cert with the one here:
> > http://www.verisign.com/support/install2/intermediate.html but when I try
> to
> > replace the 'BEGIN CERTIFICATE' section in the files above I get errors
> like
> > this:
> >
> > error reading private key: error"..., 111error reading private key:
> > error:0B080074:x509 certificate routines:X509_check_private_key:key values
> > mismatch
> >
> > So my question is using the new Intermediate CA and the pxf file above how
> can I
> > wind up with a working .pem file?
> >
>
> Have a look in the pem file.
>
> If you have more than one certificate (the stuff with BEGIN CERTIFICATE and
> END CERTIFICATE ) delete any after the first.
>
> Then append the intermediate certificate data to the end of the file.
>
> You can use the OpenSSL s_client utility to check it works OK.

I've already done this except the testing with s_client part, I tested with
firefox which still generates the same error with that. I just tested with
s_client and I get "Verify return code 21: unable to verify the first
certificate".

Is there any other information I can give the list to help find a solution?

>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>




______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: problem with converting pfx to pem and Verisign Intermediate CA

Dr. Stephen Henson
On Mon, Mar 06, 2006, [hidden email] wrote:

> Quoting "Dr. Stephen Henson" <[hidden email]>:
>
> I've already done this except the testing with s_client part, I tested with
> firefox which still generates the same error with that. I just tested with
> s_client and I get "Verify return code 21: unable to verify the first
> certificate".
>

Use the -showcerts option to s_client to see which certificates the server is
sending.

Also include the root CA as an argument to the -CAfile option.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: problem with converting pfx to pem and Verisign Intermediate CA

brianmas
Quoting "Dr. Stephen Henson" <[hidden email]>:

> On Mon, Mar 06, 2006, [hidden email] wrote:
>
> > Quoting "Dr. Stephen Henson" <[hidden email]>:
> >
> > I've already done this except the testing with s_client part, I tested with
> > firefox which still generates the same error with that. I just tested with
> > s_client and I get "Verify return code 21: unable to verify the first
> > certificate".
> >
>
> Use the -showcerts option to s_client to see which certificates the server is
> sending.

It's sending both in the pem ...

>
> Also include the root CA as an argument to the -CAfile option.

same results. (code 21)


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: problem with converting pfx to pem and Verisign Intermediate CA

Dr. Stephen Henson
On Mon, Mar 06, 2006, [hidden email] wrote:

> Quoting "Dr. Stephen Henson" <[hidden email]>:
>
> > On Mon, Mar 06, 2006, [hidden email] wrote:
> >
> > > Quoting "Dr. Stephen Henson" <[hidden email]>:
> > >
> > > I've already done this except the testing with s_client part, I tested with
> > > firefox which still generates the same error with that. I just tested with
> > > s_client and I get "Verify return code 21: unable to verify the first
> > > certificate".
> > >
> >
> > Use the -showcerts option to s_client to see which certificates the server is
> > sending.
>
> It's sending both in the pem ...
>
> >
> > Also include the root CA as an argument to the -CAfile option.
>
> same results. (code 21)
>

Can you give the full error message?

It looks like it is the wrong intermediate CA being sent.

With the server cert do:

openssl x509 -in cert.pem -issuer -noout

that should match:

openssl x509 -in intermediate.pem -subject -noout

Is this server on the internet somewhere? If so I can work out which
intermediate CA you need.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: problem with converting pfx to pem and Verisign Intermediate CA

brianmas
Quoting "Dr. Stephen Henson" <[hidden email]>:

> On Mon, Mar 06, 2006, [hidden email] wrote:
>
>
> Can you give the full error message?
>
> It looks like it is the wrong intermediate CA being sent.
>
> With the server cert do:
>
> openssl x509 -in cert.pem -issuer -noout
>
> that should match:
>
> openssl x509 -in intermediate.pem -subject -noout
>
> Is this server on the internet somewhere? If so I can work out which
> intermediate CA you need.

solved. the tech at verisign gave our web guy the wrong intermediate, I talked
to someone else and had the correct one within 5 minutes.

thanks!

brian



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]