On Fri, Jan 11, 2008, Meurer, Jerry L. (STL) wrote:

> I'm getting an error attempting to create a p12 file using OpenSSL. I
> can't seem to find anything that will lead me to a resolution. The
> error I'm getting is:
> "unable to get local issuer certificate getting chain"
>
> My setup is on a Windows server using Tomcat, with Apache. Apache
> listening on 80, and redirects to 8080 where the application lives.
>
> What I did [hope this is not too detailed]:
> - 2 years ago we purchased and downloaded an SSL cert from Verisign and
> named it server.crt,
> - Downloaded the Intermediate cert (chain).
> - Created an additional single file with the Intermediate cert, then the
> SSL cert below that text (concatenated the files with the intermediate
> on top), saved it as separate file called cachain.crt.
> - Ran the command:
> openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12
> -name tomcat -Cafile cachain.crt -caname root -chain
> - This gave me the server.p12 file that is being used right now. This
> expires in 12 days
>
> Now:
> - I gave our midrange team (who have the account with Verisign) a copy
> of the server.key file from my web server (from last year), they created
> a cert.csr file, sent it to Verisign
> - Sent me back a zip file that contained a cert.arm file (not familiar
> with an ARM file, but the text within is the certificate) cert.csr, and
> the server.key file
> - I downloaded a new Intermediate CA (Managed PKI Standard SSL
> Intermediate CA.txt) and created a file called cachain.crt (concatenated
> the files with the intermediate on top and the certificate below).
>
> Issue:
> - I've been attempting to create a server.p12 file using my notes from
> last year. Installed OpenSSL under c:\openssl
>
> -Copied all of the files to c:\openssl\bin
>
> Issue the command:
> C:\OpenSSL\bin>openssl pkcs12 -export -in cert.crt -inkey server.key -o
> ut server.p12 -name tomcat -CAfile cachain2.crt -caname root -chain
> Loading 'screen' into random state - done
> Error unable to get local issuer certificate getting chain.
>
>
> Viewed all of the files using Textpad to ensure Notepad didn't add any
> funky characters, and also reproduced the same error on my second PC.
>
> A tip from another mail archive let me to run the following, and I'm not
> sure if the problem is here?
>
> Current "arm" file, and intermediate chain:
> openssl x509 -in cert.arm -issuer -noout
> issuer= /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
> at http
> s://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
>
> openssl x509 -in chain.crt -issuer -noout
> issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
> Authority
>
> Here's what it shows on the production files that are working fine (but
> due to expire soon).
> Old crt file and chain (that is in production now)
> C:\OpenSSL\GnuWin32\bin>openssl x509 -in chain_old.crt -issuer -noout
> issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
> Authority
>
>
> openssl x509 -in cert_old.crt -issuer -noout
> issuer= /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
> International Se
> rver CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY
> LTD.(c)97 Ver
> iSign
>
> There is also the possibility that there is something wrong with the
> cert, but I just don't know. My midrange friends are on vacation for a
> while, so I'm on my own. Please help if you can.
> Thank you.
>
>


I suspect there were two certificates in the chain before and now there are
three or the previous intermediate file included all CA certificates and now
only includes the intermediate and not the root.

See how many certificate are in the two chain.crt files?

Then do:

openssl x509 -subject -issuer -in chain.crt

on each. The solution I suspect is to append the root CA file to the chain.crt
file. This is probably the file certs/vsign3.pem in the OpenSSL distribution.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org