• 3
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

What I want

I want to connect to a server using a given signed certificate (by the company running the server)

What I have

  • Ubuntu 12.04 LTS
  • My key and CSR files
  • A signed certificate. It was signed by the people running the server I want to connect to (not a globally trusted CA) after I sent them my self generated CSR
  • The RootCA.crt and the CompanyCA.crt

What works

I can create a java keystore from the signed certificate and my key. If I use that in SoapUI, I can successfully connect to the server sending SOAP requests and get proper responses

What doesn't work

I cannot use my certificate and key with openssl s_client -connect. The response is a Verify return code: 20 (unable to get local issuer certificate)

My request:

openssl s_client -connect service.company.com:443 -cert myCert.crt -key myKey.key

What else did I try (to no avail)

  • Using RootCA or CompanyCA with -CAfile
  • concatenating RootCA and CompanyCA and use that with -CAfile
  • Putting RootCA and CompanyCA in a directory and after doing c_rehash specifying it with -CApath
  • Installing RootCA and CompanyCA in /usr/lib/ssl/certs/ and doing c_rehash
  • Creating a .pem from my certificate and key file (from .p12) and using that as -cert
  • When I do openssl verify -CAfile RootCA.crt CompanyCA.crt the result is error 20 at 0 depth lookup:unable to get local issuer certificate
  • When I do openssl verify -CAfile RootCA.crt myCert.crt the result is error 2 at 1 depth lookup:unable to get issuer certificate
  • When I do openssl verify -CAfile RootCA.crt myCert.crt the result is error 2 at 1 depth lookup:unable to get issuer certificate

I always get (pretty much)

CONNECTED(00000003)
depth=1 C = DE, O = Company, CN = Company CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=DE/ST=City/L=City/O=Company/CN=service.company.com
   i:/C=DE/O=Company/CN=Company CA
 1 s:/C=DE/O=Company/CN=Company CA
   i:/C=DE/O=Other Company/OU=INST/DSW/CN=Other Company Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
<SNIP>
-----END CERTIFICATE-----
subject=/C=DE/ST=City/L=City/O=Company/CN=service.company.com
issuer=/C=DE/O=Company/CN=Company CA
---
Acceptable client certificate CA names
/C=DE/O=Other Company/OU=INST/DSW/CN=Other Company Root CA
/C=DE/O=Company/CN=Company CA 
---
SSL handshake has read 3926 bytes and written 2631 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported  
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA 
    Session-ID: SessionId
    Session-ID-ctx:
    Master-Key: MasterKey
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket:
    <SNIP>
    Start Time: 1393503573
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
      • 1
    • Solved: The RootCA.crt file was wrong. The company resent RootCA and CompanyCA files and now it works with the new files.
    • I should have known when openssl verify -CAfile RootCA.crt CompanyCA.crt returned an error. Now I can concatenate RootCA and CompanyCA and pass it as -CAfile to the connect command (and -cert myCert.crt -key myCert.key)

Trending Tags