<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#ffffff">
Zdravim,<br>
pevne verim, ze mi pomozete najst chybu uz sa s tym lopotim dost dlho,
no neviem najst co je problem.<br>
Po instalovani certifikatov som sa snazil verifikovat ich validnost, no
dostavam chybove hlasky:<br>
<br>
# openssl s_client -CAfile cacert.pem -connect <a class="moz-txt-link-abbreviated" href="http://www.firma.sk:443">www.firma.sk:443</a><br>
CONNECTED(00000003)<br>
depth=0
/C=SK/ST=Slovakia/L=Bratislava/O=firma.sk/OU=Webhosting/CN=*.firma.sk<br>
verify error:num=20:unable to get local issuer certificate<br>
verify return:1<br>
depth=0
/C=SK/ST=Slovakia/L=Bratislava/O=firma.sk/OU=Webhosting/CN=*.firma.sk<br>
verify error:num=27:certificate not trusted<br>
verify return:1<br>
depth=0
/C=SK/ST=Slovakia/L=Bratislava/O=firma.sk/OU=Webhosting/CN=*.firma.sk<br>
verify error:num=21:unable to verify the first certificate<br>
verify return:1<br>
---<br>
Certificate chain<br>
0
s:/C=SK/ST=Slovakia/L=Bratislava/O=firma.sk/OU=Webhosting/CN=*.firma.sk<br>
i:/C=SK/ST=Slovakia/O=CAfirma.sk/OU=Certification Authority/CN=FIRMA
CA<br>
---<br>
<nejake riadky tu><br>
<br>
Mozno nieco robim zle, pripadne volba CAfile neznamena, co si myslim...
(cacert.pem je certifikat CA).<br>
<br>
Tu je vytah z openssl.cnf:<br>
<br>
<address><font face="Courier New, Courier, monospace">HOME
= .</font></address>
<address><font face="Courier New, Courier, monospace">RANDFILE
= $ENV::HOME/.rnd</font></address>
<address><font face="Courier New, Courier, monospace">oid_section
= new_oids</font></address>
<address><font face="Courier New, Courier, monospace">[ new_oids ]</font></address>
<address><font face="Courier New, Courier, monospace">[ ca ]</font></address>
<address><font face="Courier New, Courier, monospace">default_ca =
CA_default # The default ca section</font></address>
<address><font face="Courier New, Courier, monospace">[ CA_default ]</font></address>
<address><font face="Courier New, Courier, monospace">dir =
/root/CA # Where everything is kept</font></address>
<address><font face="Courier New, Courier, monospace">certs =
$dir/certs # Where the issued certs are kept</font></address>
<address><font face="Courier New, Courier, monospace">crl_dir =
$dir/crl # Where the issued crl are kept</font></address>
<address><font face="Courier New, Courier, monospace">database =
$dir/index.txt # database index file.</font></address>
<address><font face="Courier New, Courier, monospace">
# several ctificates with same subject.</font></address>
<address><font face="Courier New, Courier, monospace">new_certs_dir =
$dir/newcerts # default place for new certs.</font></address>
<address><font face="Courier New, Courier, monospace">certificate =
$dir/cacert.pem # The CA certificate</font></address>
<address><font face="Courier New, Courier, monospace">serial =
$dir/serial # The current serial number</font></address>
<address><font face="Courier New, Courier, monospace">crlnumber =
$dir/crlnumber # the current crl number</font></address>
<address><font face="Courier New, Courier, monospace">
# must be commented out to leave a V1 CRL</font></address>
<address><font face="Courier New, Courier, monospace">crl =
$dir/crl.pem # The current CRL</font></address>
<address><font face="Courier New, Courier, monospace">private_key =
$dir/private/cakey.pem # The private key</font></address>
<address><font face="Courier New, Courier, monospace">RANDFILE =
$dir/private/.rand # private random number file</font></address>
<address><font face="Courier New, Courier, monospace">x509_extensions =
usr_cert # The extentions to add to the cert</font></address>
<address><font face="Courier New, Courier, monospace">name_opt =
ca_default # Subject Name options</font></address>
<address><font face="Courier New, Courier, monospace">cert_opt =
ca_default # Certificate field options</font></address>
<address><font face="Courier New, Courier, monospace">default_days =
730 # how long to certify for</font></address>
<address><font face="Courier New, Courier, monospace">default_crl_days=
30 # how long before next CRL</font></address>
<address><font face="Courier New, Courier, monospace">default_md =
sha1 # which md to use.</font></address>
<address><font face="Courier New, Courier, monospace">preserve =
no # keep passed DN ordering</font></address>
<address><font face="Courier New, Courier, monospace">policy =
policy_match</font></address>
<address><font face="Courier New, Courier, monospace">copy_extensions =
copy</font></address>
<address><font face="Courier New, Courier, monospace">[ policy_match ]</font></address>
<address><font face="Courier New, Courier, monospace">countryName
= match</font></address>
<address><font face="Courier New, Courier, monospace">stateOrProvinceName
= match</font></address>
<address><font face="Courier New, Courier, monospace">organizationName
= match</font></address>
<address><font face="Courier New, Courier, monospace">organizationalUnitName
= optional</font></address>
<address><font face="Courier New, Courier, monospace">commonName
= supplied</font></address>
<address><font face="Courier New, Courier, monospace">emailAddress
= optional</font></address>
<address><font face="Courier New, Courier, monospace">[ policy_anything
]</font></address>
<address><font face="Courier New, Courier, monospace">countryName
= optional</font></address>
<address><font face="Courier New, Courier, monospace">stateOrProvinceName
= optional</font></address>
<address><font face="Courier New, Courier, monospace">localityName
= optional</font></address>
<address><font face="Courier New, Courier, monospace">organizationName
= optional</font></address>
<address><font face="Courier New, Courier, monospace">organizationalUnitName
= optional</font></address>
<address><font face="Courier New, Courier, monospace">commonName
= supplied</font></address>
<address><font face="Courier New, Courier, monospace">emailAddress
= optional</font></address>
<address><font face="Courier New, Courier, monospace">[ req ]</font></address>
<address><font face="Courier New, Courier, monospace">default_bits
= 2048</font></address>
<address><font face="Courier New, Courier, monospace">default_keyfile
= privkey.pem</font></address>
<address><font face="Courier New, Courier, monospace">distinguished_name
= req_distinguished_name</font></address>
<address><font face="Courier New, Courier, monospace">attributes
= req_attributes</font></address>
<address><font face="Courier New, Courier, monospace">x509_extensions =
v3_ca # The extentions to add to the self signed cert</font></address>
<address><font face="Courier New, Courier, monospace">string_mask =
nombstr</font></address>
<address><font face="Courier New, Courier, monospace">req_extensions =
v3_req</font></address>
<address><font face="Courier New, Courier, monospace">[
req_distinguished_name ]</font></address>
<address><font face="Courier New, Courier, monospace">countryName
= Country Name (2 letter code)</font></address>
<address><font face="Courier New, Courier, monospace">countryName_default
= SK</font></address>
<address><font face="Courier New, Courier, monospace">countryName_min
= 2</font></address>
<address><font face="Courier New, Courier, monospace">countryName_max
= 2</font></address>
<address><font face="Courier New, Courier, monospace">stateOrProvinceName
= State or Province Name (full name)</font></address>
<address><font face="Courier New, Courier, monospace">stateOrProvinceName_default
= Slovakia</font></address>
<address><font face="Courier New, Courier, monospace">localityName
= Locality Name (eg, city)</font></address>
<address><font face="Courier New, Courier, monospace">localityName_default
= Bratislava</font></address>
<address><font face="Courier New, Courier, monospace">0.organizationName
= Organization Name (eg, company)</font></address>
<address><font face="Courier New, Courier, monospace">0.organizationName_default
= firma.sk</font></address>
<address><font face="Courier New, Courier, monospace">organizationalUnitName
= Organizational Unit Name (eg, section)</font></address>
<address><font face="Courier New, Courier, monospace">commonName
= Common Name (eg, YOUR name)</font></address>
<address><font face="Courier New, Courier, monospace">commonName_max
= 64</font></address>
<address><font face="Courier New, Courier, monospace">emailAddress
= Email Address</font></address>
<address><font face="Courier New, Courier, monospace">emailAddress_max
= 64</font></address>
<address><font face="Courier New, Courier, monospace">[ req_attributes ]</font></address>
<address><font face="Courier New, Courier, monospace">challengePassword
= A challenge password</font></address>
<address><font face="Courier New, Courier, monospace">challengePassword_min
= 4</font></address>
<address><font face="Courier New, Courier, monospace">challengePassword_max
= 20</font></address>
<address><font face="Courier New, Courier, monospace">unstructuredName
= An optional company name</font></address>
<address><font face="Courier New, Courier, monospace">[ usr_cert ]</font></address>
<address><font face="Courier New, Courier, monospace">basicConstraints=CA:FALSE</font></address>
<address><font face="Courier New, Courier, monospace">nsComment
= "OpenSSL Generated Certificate issued by firma.sk"</font></address>
<address><font face="Courier New, Courier, monospace">subjectKeyIdentifier=hash</font></address>
<address><font face="Courier New, Courier, monospace">authorityKeyIdentifier=keyid,issuer:always</font></address>
<address><font face="Courier New, Courier, monospace">nsCaRevocationUrl
= https://ca.firma.sk/firma-ca.crl</font></address>
<address><font face="Courier New, Courier, monospace">crlDistributionPoints
= URI:https://ca.firma.sk/firma-ca.crl</font></address>
<address><font face="Courier New, Courier, monospace">[ v3_req ] </font></address>
<address><font face="Courier New, Courier, monospace">basicConstraints
= CA:FALSE</font></address>
<address><font face="Courier New, Courier, monospace">keyUsage =
nonRepudiation, digitalSignature, keyEncipherment</font></address>
<address><font face="Courier New, Courier, monospace">[ v3_ca ] </font></address>
<address><font face="Courier New, Courier, monospace">subjectKeyIdentifier=hash</font></address>
<address><font face="Courier New, Courier, monospace">authorityKeyIdentifier=keyid:always,issuer:always</font></address>
<address><font face="Courier New, Courier, monospace">basicConstraints
= CA:true</font></address>
<address><font face="Courier New, Courier, monospace">nsCaRevocationUrl
= https://ca.firma.sk/firma-ca.crl</font></address>
<address><font face="Courier New, Courier, monospace">crlDistributionPoints
= URI:https://ca.firma.sk/firma-ca.crl</font></address>
<address><font face="Courier New, Courier, monospace">[ crl_ext ]</font></address>
<address><font face="Courier New, Courier, monospace">authorityKeyIdentifier=keyid:always,issuer:always</font></address>
<br>
--<br>
Peter Viskup<br>
</body>
</html>