This is a multi-part message in MIME format.

------_=_NextPart_001_01C8548B.3994FA92
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable

I'm getting an error attempting to create a p12 file using OpenSSL. I
can't seem to find anything that will lead me to a resolution. The
error I'm getting is:
"unable to get local issuer certificate getting chain"

My setup is on a Windows server using Tomcat, with Apache. Apache
listening on 80, and redirects to 8080 where the application lives.

What I did [hope this is not too detailed]:
- 2 years ago we purchased and downloaded an SSL cert from Verisign and
named it server.crt,=20
- Downloaded the Intermediate cert (chain). =20
- Created an additional single file with the Intermediate cert, then the
SSL cert below that text (concatenated the files with the intermediate
on top), saved it as separate file called cachain.crt.
- Ran the command:
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12
-name tomcat -Cafile cachain.crt -caname root -chain
- This gave me the server.p12 file that is being used right now. This
expires in 12 days

Now:
- I gave our midrange team (who have the account with Verisign) a copy
of the server.key file from my web server (from last year), they created
a cert.csr file, sent it to Verisign=20
- Sent me back a zip file that contained a cert.arm file (not familiar
with an ARM file, but the text within is the certificate) cert.csr, and
the server.key file
- I downloaded a new Intermediate CA (Managed PKI Standard SSL
Intermediate CA.txt) and created a file called cachain.crt (concatenated
the files with the intermediate on top and the certificate below).

Issue:
- I've been attempting to create a server.p12 file using my notes from
last year. Installed OpenSSL under c:\openssl

-Copied all of the files to c:\openssl\bin=20

Issue the command:
C:\OpenSSL\bin>openssl pkcs12 -export -in cert.crt -inkey server.key -o
ut server.p12 -name tomcat -CAfile cachain2.crt -caname root -chain
Loading 'screen' into random state - done
Error unable to get local issuer certificate getting chain.


Viewed all of the files using Textpad to ensure Notepad didn't add any
funky characters, and also reproduced the same error on my second PC.

A tip from another mail archive let me to run the following, and I'm not
sure if the problem is here?

Current "arm" file, and intermediate chain:
openssl x509 -in cert.arm -issuer -noout
issuer=3D /C=3DUS/O=3DVeriSign, Inc./OU=3DVeriSign Trust =
Network/OU=3DTerms of use
at http
s://www.verisign.com/rpa (c)05/CN=3DVeriSign Class 3 Secure Server CA

openssl x509 -in chain.crt -issuer -noout
issuer=3D /C=3DUS/O=3DVeriSign, Inc./OU=3DClass 3 Public Primary =
Certification
Authority

Here's what it shows on the production files that are working fine (but
due to expire soon).
Old crt file and chain (that is in production now)
C:\OpenSSL\GnuWin32\bin>openssl x509 -in chain_old.crt -issuer -noout
issuer=3D /C=3DUS/O=3DVeriSign, Inc./OU=3DClass 3 Public Primary =
Certification
Authority


openssl x509 -in cert_old.crt -issuer -noout
issuer=3D /O=3DVeriSign Trust Network/OU=3DVeriSign, Inc./OU=3DVeriSign
International Se
rver CA - Class 3/OU=3Dwww.verisign.com/CPS Incorp.by Ref. LIABILITY
LTD.(c)97 Ver
iSign

There is also the possibility that there is something wrong with the
cert, but I just don't know. My midrange friends are on vacation for a
while, so I'm on my own. Please help if you can.
Thank you.



******* Confidentiality Notice *******
This email, its electronic document attachments, and the contents of its =
website linkages may contain confidential health information. This =
information is intended solely for use by the individual or entity to =
whom it is addressed. If you have received this information in error, =
please notify the sender immediately and arrange for the prompt =
destruction of the material and any accompanying attachments.



------_=_NextPart_001_01C8548B.3994FA92
Content-Type: text/html;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable




charset=3Dus-ascii">
6.0.6619.12">
Create a p12 file with a Verisign Certificate and an Verisign =<br /> Intermediate Certificate




I'm getting an error attempting to =
create a p12 file using OpenSSL.  I can't seem to find anything =
that will lead me to a resolution.  The error I'm getting =
is:



"unable to get local issuer =
certificate getting chain"



My setup is on a Windows server using =
Tomcat, with Apache. Apache listening on 80, and redirects to 8080 where =
the application lives.



What I did [hope this is not too =
detailed]:



- 2 years ago we purchased and =
downloaded an SSL cert from Verisign and named it server.crt,



- Downloaded the Intermediate cert =
(chain). 



- Created an additional single file =
with the Intermediate cert, then the SSL cert below that text =
(concatenated the files with the intermediate on top), saved it as =
separate file called cachain.crt.



- Ran the command:


openssl pkcs12 -export -in server.crt =
-inkey server.key -out server.p12 -name tomcat -Cafile cachain.crt =
-caname root -chain



- This gave me the server.p12 file that =
is being used right now.  This expires in 12 days



Now:


- I gave our midrange team (who have =
the account with Verisign) a copy of the server.key file from my web =
server (from last year), they created a cert.csr file, sent it to =
Verisign



- Sent me back a zip file that =
contained a cert.arm file (not familiar with an ARM file, but the text =
within is the certificate) cert.csr, and the server.key file



- I downloaded a new Intermediate CA =
(Managed PKI Standard SSL Intermediate CA.txt) and created a file called =
cachain.crt (concatenated the files with the intermediate on top and the =
certificate below).



Issue:


- I've been attempting to create a =
server.p12 file using my notes from last year.  Installed OpenSSL =
under c:\openssl



-Copied all of the files to =
c:\openssl\bin



Issue the command:


C:\OpenSSL\bin>openssl pkcs12 =
-export -in cert.crt -inkey server.key -o



ut server.p12 -name tomcat -CAfile =
cachain2.crt -caname root -chain



Loading 'screen' into random state - =
done



Error unable to get local issuer =
certificate getting chain.





Viewed all of the files using Textpad =
to ensure Notepad didn't add any funky characters, and also reproduced =
the same error on my second PC.



A tip from another mail archive let me =
to run the following, and I'm not sure if the problem is here?



Current "arm" file, and =
intermediate chain:



openssl x509 -in cert.arm -issuer =
-noout



issuer=3D /C=3DUS/O=3DVeriSign, =
Inc./OU=3DVeriSign Trust Network/OU=3DTerms of use at http



s://www.verisign.com/rpa =
(c)05/CN=3DVeriSign Class 3 Secure Server CA



openssl x509 -in chain.crt -issuer =
-noout



issuer=3D /C=3DUS/O=3DVeriSign, =
Inc./OU=3DClass 3 Public Primary Certification Authority



Here's what it shows on the production =
files that are working fine (but due to expire soon).



Old crt file and chain (that is in =
production now)



C:\OpenSSL\GnuWin32\bin>openssl =
x509 -in chain_old.crt -issuer -noout



issuer=3D /C=3DUS/O=3DVeriSign, =
Inc./OU=3DClass 3 Public Primary Certification Authority





openssl x509 -in cert_old.crt -issuer =
-noout



issuer=3D /O=3DVeriSign Trust =
Network/OU=3DVeriSign, Inc./OU=3DVeriSign International Se



rver CA - Class =
3/OU=3Dwww.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 =
Ver



iSign



There is also the possibility that =
there is something wrong with the cert, but I just don't know.  My =
midrange friends are on vacation for a while, so I'm on my own.  =
Please help if you can.



Thank you.








******* Confidentiality Notice *******

This email, its electronic document attachments, and the contents of its =
website linkages may contain confidential health information. This =
information is intended solely for use by the individual or entity to =
whom it is addressed. If you have received this information in error, =
please notify the sender immediately and arrange for the prompt =
destruction of the material and any accompanying attachments.





------_=_NextPart_001_01C8548B.3994FA92--
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org