[linux] Problem s verifikaciou openssl certifikatov
Peter Viskup
skupko.sk na gmail.com
Čtvrtek Říjen 21 01:40:49 CEST 2010
Zdravim,
pevne verim, ze mi pomozete najst chybu uz sa s tym lopotim dost dlho,
no neviem najst co je problem.
Po instalovani certifikatov som sa snazil verifikovat ich validnost, no
dostavam chybove hlasky:
# openssl s_client -CAfile cacert.pem -connect www.firma.sk:443
CONNECTED(00000003)
depth=0
/C=SK/ST=Slovakia/L=Bratislava/O=firma.sk/OU=Webhosting/CN=*.firma.sk
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0
/C=SK/ST=Slovakia/L=Bratislava/O=firma.sk/OU=Webhosting/CN=*.firma.sk
verify error:num=27:certificate not trusted
verify return:1
depth=0
/C=SK/ST=Slovakia/L=Bratislava/O=firma.sk/OU=Webhosting/CN=*.firma.sk
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=SK/ST=Slovakia/L=Bratislava/O=firma.sk/OU=Webhosting/CN=*.firma.sk
i:/C=SK/ST=Slovakia/O=CAfirma.sk/OU=Certification Authority/CN=FIRMA CA
---
<nejake riadky tu>
Mozno nieco robim zle, pripadne volba CAfile neznamena, co si myslim...
(cacert.pem je certifikat CA).
Tu je vytah z openssl.cnf:
HOME = .
RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = /root/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
# several ctificates with same
subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to
leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 730 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_match
copy_extensions = copy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = nombstr
req_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = SK
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Slovakia
localityName = Locality Name (eg, city)
localityName_default = Bratislava
0.organizationName = Organization Name (eg, company)
0.organizationName_default = firma.sk
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate issued
by firma.sk"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
nsCaRevocationUrl = https://ca.firma.sk/firma-ca.crl
crlDistributionPoints = URI:https://ca.firma.sk/firma-ca.crl
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
nsCaRevocationUrl = https://ca.firma.sk/firma-ca.crl
crlDistributionPoints = URI:https://ca.firma.sk/firma-ca.crl
[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always
--
Peter Viskup
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linux.sk/pipermail/linux/attachments/20101021/0f294df6/attachment.html>
Další informace o konferenci linux