When I do that, I now get:

RAPTOR_$ openssl s_client -connect adtest:636 "-CAfile" certnew.pem
depth=0 /CN=adtest.altdomain2000.psccos.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=adtest.altdomain2000.psccos.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /CN=adtest.altdomain2000.psccos.com
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate chain
0 s:/CN=adtest.altdomain2000.psccos.com
i:/C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca
Server certificate

issuer=/C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca
Acceptable client certificate CA names

SSL handshake has read 3950 bytes and written 342 bytes
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
Protocol : TLSv1
Cipher : RC4-MD5
AF0A0000C37F50DE8F069E626AF23D763831B871E78B7AD088 6FB042B6731262
BB25F868F436649E68039E54D6F712E3AFDB6E523DA3A0FB0E 16A9470F9D3CCE
Key-Arg : None
Start Time: 1159402472
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
bad select 38

I obviously have the wrong certificates, but I have no idea (as should also
be obvious) what certificates I really do need. The file I used as input
to the -CAfile switch is the "CA Certification Path" as downloaded from the
Windows box that runs the CA, and that I converted to PEM format. There's
something not kosher about that certificate, but darned if I have any idea

Any more suggestions?

At 03:39 PM 9/27/2006, Richard Levitte - VMS Whacker wrote:
>Hi Dan,
>In message <> on Mon, 25 Sep
>2006 09:50:32 -0600, Dan O'Reilly said:
>dano> My CA is another system (Windows) and I requested it to create
>dano> the trusted root certificate in PKCS7 format, which I copied to
>dano> my VMS system. I can use OPENSSL PKCS7 to view the package
>dano> contents, and it contains a single certificate. I then tried to
>dano> do an OPENSSL VERIFY on that package, and it keeps coming up
>dano> errors. Finally, I tried "openssl s_clienit -connect
>dano> :636 -certfore der -CAfile
>dano> and it comes up with the following:
>You need to extract the certificate from that PKCS#7 package and use
>the resulting file. Since OPENSSL PKCS7 will give you the certificate
>in PEM format, the best you can probably do is save that in a .PEM
>file, and then use it as follows:
>openssl s_client -connect :636 -CAfile .PEM
>Please consider sponsoring my work on free software.
http://www.free.lp.se/sponsoring.html for details.
>Richard Levitte richard@levitte.org
> http://richard.levitte.org/
>"When I became a man I put away childish things, including
> the fear of childishness and the desire to be very grown up."
> -- C.S. Lewis
>__________________________________________________ ____________________
>OpenSSL Project http://www.openssl.org
>User Support Mailing List openssl-users@openssl.org
>Automated List Manager majordomo@openssl.org

| Dan O'Reilly | "There are 10 types of people in this |
| Principal Engineer | world: those who understand binary |
| Process Software | and those who don't." |
| http://www.process.com | |

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org