This is a discussion on RE: Client Certificates - Openssl ; > From: firstname.lastname@example.org On Behalf Of Felix Ingram > Sent: Saturday, 04 October, 2008 10:27 > 2008/10/4 Dave Thompson : > > The actual failure is the alert 48 "unknown ca" from the server. > > Apparently it doesn't like ...
> From: email@example.com On Behalf Of Felix Ingram
> Sent: Saturday, 04 October, 2008 10:27
> 2008/10/4 Dave Thompson
> > The actual failure is the alert 48 "unknown ca" from the server.
> > Apparently it doesn't like the cert (or chain) s_client is sending,
> > but the protocol doesn't provide any (standard) way for it to explain.
> > If they have logs on the server, and you can reach someone who knows
> > about them, ask them to look at the time of your failed attempt(s)
> > and see if it has any more specific or descriptive information.
> Is it usual for the client to have to provide the signing
> certificates? I would have thought that the server would have them
> when certificates are being used for authentication.
Well, it depends on whether the CA uses intermediate certs (and keys),
and if so, whether the server operators decide to (pre)configure them.
According to X.509 principles, it is sufficient to have the root(s);
SSL, and openssl library, supports sending the chain if/as needed.
But as I noted s_client apparently doesn't; remember that most of
the command-line 'apps' are intended to be basic tools to do things
that you don't have a more complete, specific application for.
> I believe there is an intermediate certificate but I have every reason
> to believe that the server will have a copy...
> It looks like I need to find the Verisign certificate from in IE.
You might also look at the .pfx data they gave you. IF the people
who created it coordinated with (or are the same as!) the people
who control the server, it would have been logical for them to include
in the 'bag' any/all intermediate cert(s) needed to use your cert.
Unless you converted foryou.pfx to your.pem with -clcerts (or edited it),
you should be able to look through your.pem and see if there's
a certificate block preceded by a subject=imedCAname which
matches (exactly) issuer= for the cert with subject=yourname.
OpenSSL Project http://www.openssl.org
User Support Mailing List firstname.lastname@example.org
Automated List Manager email@example.com