problem with certificates - Openssl

This is a discussion on problem with certificates - Openssl ; Hi, The below error is obtained when no CA is setup in the machine, ie., cacert.pem and cakey.pem file are not present and the root certificate is not signed by the CA. The root certificate is signed by the root ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: problem with certificates

  1. problem with certificates

    Hi,

    The below error is obtained when no CA is setup in the machine, ie.,
    cacert.pem and cakey.pem file are not present and the root certificate is
    not signed by the CA.

    The root certificate is signed by the root key generated while creating the
    certificate using command:
    * openssl x509 -req -in rootreq.pem -sha1 -extensions v3_ca
    -signkey rootkey.pem -out rootcert.pem*

    -Error with certificate at depth: 2
    issuer = /C=IN/ST=AP/L=HYD/O=Intoto Software (I) Pvt. Ltd/OU=Root/CN=Root
    Intoto/emailAddress=root@intoto.com
    subject = /C=IN/ST=AP/L=HYD/O=Intoto Software (I) Pvt. Ltd/OU=Root/CN=Root
    Intoto/emailAddress=root@intoto.com
    err 19:self signed certificate in certificate chain
    SSL_connect failed
    ** client.c:80 Error connecting SSL object
    16384:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
    verify failed:s3_clnt.c:843:

    Any help regarding this...
    --
    thanks,
    Lakshmi Prasanna


  2. Re: problem with certificates

    Hi,

    Thanks for the reply.

    I have setup CA, and generated cacert.pem and cakey.pem files. I
    signed the rootrequest with cacert.pem and generated rootcert.pem.
    even then the same error is observed saying "Self signed certificate".
    Actually I am setting up a local CA in this case.

    Can we sign the root certificate by the CA or should we sign the root
    certificate request and then generate the root certificate from the
    request?

    Actually, I am following the steps in the book Orielly's Network
    security with Openssl to generate the certificates.
    Can u please send me the exact steps to create a CA and generate CA
    signed certificates?

    thanks,
    Lakshmi Prasanna


    On Fri, Jun 13, 2008 at 2:33 PM, bala_41@hotmail.com
    wrote:
    >Hi,
    >
    > The below error is obtained when no CA is setup in the machine, ie.,
    > cacert.pem and cakey.pem file are not present and the root certificate is
    > not signed by the CA.
    >
    > "lakshmi prasanna" wrote:
    >>
    >>
    >> The root certificate is signed by the root key generated while creating the
    >> certificate using command:
    >> * openssl x509 -req -in rootreq.pem -sha1 -extensions v3_ca
    >> -signkey rootkey.pem -out rootcert.pem*
    >>
    >> -Error with certificate at depth: 2
    >> issuer = /C=IN/ST=AP/L=HYD/O=Intoto Software (I) Pvt. Ltd/OU=Root/CN=Root
    >> Intoto/emailAddress=root@intoto.com
    >> subject = /C=IN/ST=AP/L=HYD/O=Intoto Software (I) Pvt. Ltd/OU=Root/CN=Root
    >> Intoto/emailAddress=root@intoto.com
    >> err 19:self signed certificate in certificate chain
    >> SSL_connect failed
    >> ** client.c:80 Error connecting SSL object
    >> 16384:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
    >> verify failed:s3_clnt.c:843:
    >>
    >> Any help regarding this...
    >> --
    >> thanks,
    >> Lakshmi Prasanna

    >




    --
    thanks,
    Lakshmi Prasanna
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  3. Re: problem with certificates

    Read the manpage for verify(1ssl) for information on how to get
    openssl's commandline tools to recognize a root certificate as
    'trusted'.

    The same type of thing must be done in your client. The root
    certificate must be added to the list of CAs that are trusted. I'm
    not quite sure the precise API to use to do so.

    Also: I would recommend you look at the CA.sh shell script to handle
    things as a minimal Certifying Authority. It automates the entire
    procedure.

    -Kyle H

    On Fri, Jun 13, 2008 at 3:05 AM, lakshmi prasanna wrote:
    > Hi,
    >
    > Thanks for the reply.
    >
    > I have setup CA, and generated cacert.pem and cakey.pem files. I
    > signed the rootrequest with cacert.pem and generated rootcert.pem.
    > even then the same error is observed saying "Self signed certificate".
    > Actually I am setting up a local CA in this case.
    >
    > Can we sign the root certificate by the CA or should we sign the root
    > certificate request and then generate the root certificate from the
    > request?
    >
    > Actually, I am following the steps in the book Orielly's Network
    > security with Openssl to generate the certificates.
    > Can u please send me the exact steps to create a CA and generate CA
    > signed certificates?
    >
    > thanks,
    > Lakshmi Prasanna
    >
    >
    > On Fri, Jun 13, 2008 at 2:33 PM, bala_41@hotmail.com
    > wrote:
    >>Hi,
    >>
    >> The below error is obtained when no CA is setup in the machine, ie.,
    >> cacert.pem and cakey.pem file are not present and the root certificate is
    >> not signed by the CA.
    >>
    >> "lakshmi prasanna" wrote:
    >>>
    >>>
    >>> The root certificate is signed by the root key generated while creating the
    >>> certificate using command:
    >>> * openssl x509 -req -in rootreq.pem -sha1 -extensions v3_ca
    >>> -signkey rootkey.pem -out rootcert.pem*
    >>>
    >>> -Error with certificate at depth: 2
    >>> issuer = /C=IN/ST=AP/L=HYD/O=Intoto Software (I) Pvt. Ltd/OU=Root/CN=Root
    >>> Intoto/emailAddress=root@intoto.com
    >>> subject = /C=IN/ST=AP/L=HYD/O=Intoto Software (I) Pvt. Ltd/OU=Root/CN=Root
    >>> Intoto/emailAddress=root@intoto.com
    >>> err 19:self signed certificate in certificate chain
    >>> SSL_connect failed
    >>> ** client.c:80 Error connecting SSL object
    >>> 16384:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
    >>> verify failed:s3_clnt.c:843:
    >>>
    >>> Any help regarding this...
    >>> --
    >>> thanks,
    >>> Lakshmi Prasanna

    >>

    >
    >
    >
    > --
    > thanks,
    > Lakshmi Prasanna
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  4. Re: problem with certificates

    I am facing the same issue. I want to automate adding of CA certificate to
    the client machine.
    Where can I get this CA.sh? Will it automate client process of adding the CA
    certificate as trusted one? I found CA.pl, a wrapper script by Eric. Is it
    the same you are talking of?

    On Fri, Jun 13, 2008 at 3:33 AM, Kyle Hamilton wrote:

    > Read the manpage for verify(1ssl) for information on how to get
    > openssl's commandline tools to recognize a root certificate as
    > 'trusted'.
    >
    > The same type of thing must be done in your client. The root
    > certificate must be added to the list of CAs that are trusted. I'm
    > not quite sure the precise API to use to do so.
    >
    > Also: I would recommend you look at the CA.sh shell script to handle
    > things as a minimal Certifying Authority. It automates the entire
    > procedure.
    >
    > -Kyle H
    >
    > On Fri, Jun 13, 2008 at 3:05 AM, lakshmi prasanna
    > wrote:
    > > Hi,
    > >
    > > Thanks for the reply.
    > >
    > > I have setup CA, and generated cacert.pem and cakey.pem files. I
    > > signed the rootrequest with cacert.pem and generated rootcert.pem.
    > > even then the same error is observed saying "Self signed certificate".
    > > Actually I am setting up a local CA in this case.
    > >
    > > Can we sign the root certificate by the CA or should we sign the root
    > > certificate request and then generate the root certificate from the
    > > request?
    > >
    > > Actually, I am following the steps in the book Orielly's Network
    > > security with Openssl to generate the certificates.
    > > Can u please send me the exact steps to create a CA and generate CA
    > > signed certificates?
    > >
    > > thanks,
    > > Lakshmi Prasanna
    > >
    > >
    > > On Fri, Jun 13, 2008 at 2:33 PM, bala_41@hotmail.com
    > > wrote:
    > >>Hi,
    > >>
    > >> The below error is obtained when no CA is setup in the machine, ie.,
    > >> cacert.pem and cakey.pem file are not present and the root certificate

    > is
    > >> not signed by the CA.
    > >>
    > >> "lakshmi prasanna" wrote:
    > >>>
    > >>>
    > >>> The root certificate is signed by the root key generated while creating

    > the
    > >>> certificate using command:
    > >>> * openssl x509 -req -in rootreq.pem -sha1 -extensions v3_ca
    > >>> -signkey rootkey.pem -out rootcert.pem*
    > >>>
    > >>> -Error with certificate at depth: 2
    > >>> issuer = /C=IN/ST=AP/L=HYD/O=Intoto Software (I) Pvt.

    > Ltd/OU=Root/CN=Root
    > >>> Intoto/emailAddress=root@intoto.com
    > >>> subject = /C=IN/ST=AP/L=HYD/O=Intoto Software (I) Pvt.

    > Ltd/OU=Root/CN=Root
    > >>> Intoto/emailAddress=root@intoto.com
    > >>> err 19:self signed certificate in certificate chain
    > >>> SSL_connect failed
    > >>> ** client.c:80 Error connecting SSL object
    > >>> 16384:error:14090086:SSL

    > routines:SSL3_GET_SERVER_CERTIFICATE:certificate
    > >>> verify failed:s3_clnt.c:843:
    > >>>
    > >>> Any help regarding this...
    > >>> --
    > >>> thanks,
    > >>> Lakshmi Prasanna
    > >>

    > >
    > >
    > >
    > > --
    > > thanks,
    > > Lakshmi Prasanna
    > > __________________________________________________ ____________________
    > > OpenSSL Project http://www.openssl.org
    > > User Support Mailing List openssl-users@openssl.org
    > > Automated List Manager majordomo@openssl.org
    > >

    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >




    --
    I may be miles away... but I am just a email away.... so keep emailing...!!!
    Cheers,
    Rajan


+ Reply to Thread