Hi Sachin:

On July 29, 2008 09:53:47 am Sachin Puttur wrote:
> Hi,
> The Self signed Certificate is created in Windows server 2008 as given
> below.We have created the certificate file hpcpb.cer.
> Then we will follow below steps in linux machine .
> 1) openssl x509 -in test.cer -inform d -out hpcbp.pem
> 2) cp hpcbp.pem /usr/share/ssl/certs/.
> 3) c_rehash

This is probably not doing what you think it is doing... what are you trying
to do here?

> 4) I am issuing below command from Linux machine(blrm188) to connect the
> machine where windows server 2008 is installed .
> openssl s_client -connect blrm188.hpccluster:443


> [root@blrm243 HPCBP]# openssl s_client -connect blrm188.hpccluster:443
> CONNECTED(00000003)
> depth=0 /CN=BLRM188.HPCCLUSTER
> *verify error:num=20:unable to get local issuer certificate*
> verify return:1
> depth=0 /CN=BLRM188.HPCCLUSTER
> *verify error:num=21:unable to verify the first certificate*
> verify return:1

And there is your error - unable to get local issuer certificate... for a self
signed certificate, this is 100% expected. First of all, you aren't
specifying a "-CAPath /usr/share/ssl/certs/" that would possibly allow
openssl to find the Self signed certificates. The second thing, is that
OpenSSL is expecting to find a certificate with "BasicConstraints = CA:True"
and "Key Usage = certSign" for the issuer certificate.

Since the certificate that you are using says that it is only valid for Web
Authentication, then it isn't permissible for that certificate to sign itself
(that's what certSign is about).

Anyways - I strongly recommend either just purchasing a correct certificate,
or setting up your CA correctly to generate valid certificates.

Have fun.

Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org