[linux] Problem s verifikaciou openssl certifikatov

Peter Viskup skupko.sk na gmail.com
Čtvrtek Říjen 21 01:40:49 CEST 2010 

Zdravim,
pevne verim, ze mi pomozete najst chybu uz sa s tym lopotim dost dlho, 
no neviem najst co je problem.
Po instalovani certifikatov som sa snazil verifikovat ich validnost, no 
dostavam chybove hlasky:

# openssl s_client -CAfile cacert.pem -connect www.firma.sk:443
CONNECTED(00000003)
depth=0 
/C=SK/ST=Slovakia/L=Bratislava/O=firma.sk/OU=Webhosting/CN=*.firma.sk
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 
/C=SK/ST=Slovakia/L=Bratislava/O=firma.sk/OU=Webhosting/CN=*.firma.sk
verify error:num=27:certificate not trusted
verify return:1
depth=0 
/C=SK/ST=Slovakia/L=Bratislava/O=firma.sk/OU=Webhosting/CN=*.firma.sk
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
  0 s:/C=SK/ST=Slovakia/L=Bratislava/O=firma.sk/OU=Webhosting/CN=*.firma.sk
    i:/C=SK/ST=Slovakia/O=CAfirma.sk/OU=Certification Authority/CN=FIRMA CA
---
<nejake riadky tu>

Mozno nieco robim zle, pripadne volba CAfile neznamena, co si myslim... 
(cacert.pem je certifikat CA).

Tu je vytah z openssl.cnf:

HOME                    = .

RANDFILE                = $ENV::HOME/.rnd

oid_section             = new_oids

[ new_oids ]

[ ca ]

default_ca      = CA_default            # The default ca section

[ CA_default ]

dir             = /root/CA              # Where everything is kept

certs           = $dir/certs            # Where the issued certs are kept

crl_dir         = $dir/crl              # Where the issued crl are kept

database        = $dir/index.txt        # database index file.

                                         # several ctificates with same 
subject.

new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate

serial          = $dir/serial           # The current serial number

crlnumber       = $dir/crlnumber        # the current crl number

                                         # must be commented out to 
leave a V1 CRL

crl             = $dir/crl.pem          # The current CRL

private_key     = $dir/private/cakey.pem # The private key

RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

name_opt        = ca_default            # Subject Name options

cert_opt        = ca_default            # Certificate field options

default_days    = 730                   # how long to certify for

default_crl_days= 30                    # how long before next CRL

default_md      = sha1                  # which md to use.

preserve        = no                    # keep passed DN ordering

policy          = policy_match

copy_extensions = copy

[ policy_match ]

countryName             = match

stateOrProvinceName     = match

organizationName        = match

organizationalUnitName  = optional

commonName              = supplied

emailAddress            = optional

[ policy_anything ]

countryName             = optional

stateOrProvinceName     = optional

localityName            = optional

organizationName        = optional

organizationalUnitName  = optional

commonName              = supplied

emailAddress            = optional

[ req ]

default_bits            = 2048

default_keyfile         = privkey.pem

distinguished_name      = req_distinguished_name

attributes              = req_attributes

x509_extensions = v3_ca # The extentions to add to the self signed cert

string_mask = nombstr

req_extensions = v3_req

[ req_distinguished_name ]

countryName                     = Country Name (2 letter code)

countryName_default             = SK

countryName_min                 = 2

countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)

stateOrProvinceName_default     = Slovakia

localityName                    = Locality Name (eg, city)

localityName_default            = Bratislava

0.organizationName              = Organization Name (eg, company)

0.organizationName_default      = firma.sk

organizationalUnitName          = Organizational Unit Name (eg, section)

commonName                      = Common Name (eg, YOUR name)

commonName_max                  = 64

emailAddress                    = Email Address

emailAddress_max                = 64

[ req_attributes ]

challengePassword               = A challenge password

challengePassword_min           = 4

challengePassword_max           = 20

unstructuredName                = An optional company name

[ usr_cert ]

basicConstraints=CA:FALSE

nsComment                       = "OpenSSL Generated Certificate issued 
by firma.sk"

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer:always

nsCaRevocationUrl               = https://ca.firma.sk/firma-ca.crl

crlDistributionPoints           = URI:https://ca.firma.sk/firma-ca.crl

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer:always

basicConstraints = CA:true

nsCaRevocationUrl               = https://ca.firma.sk/firma-ca.crl

crlDistributionPoints           = URI:https://ca.firma.sk/firma-ca.crl

[ crl_ext ]

authorityKeyIdentifier=keyid:always,issuer:always


--
Peter Viskup
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linux.sk/pipermail/linux/attachments/20101021/0f294df6/attachment.html>

Další informace o konferenci linux