Help creating certificate chain
Hiro2k
intermediate CA to handle all the end user certificate signing.
So far I've created a Root CA
I created an intermediate CA and signed it's certificate with the Root
CA
I created an end user certificate and signed it with the intermediate
CA.
Now I want to be able to just import the Root CA and have all end user
certificates be verified.
I tried running:
openssl verify -CAfile ../root/ca-cert.crt user.crt
and it returns with
error 20 at 0 depth lookup:unable to get local issuer certificate
Thanks for any help.
Hugo Garza
Smith, Ryan-P56787
All of the CA certificates in the chain of trust need to be included in the CA file passed to the “-CAfile” option. To do this, simply concatenate all of the PEM-encoded CA certificates into one file (e.g. ‘cat <PEM-encoded root CA cert> <PEM-encoded intermediate CA cert> > cafile.pem’ -- could be ‘cat ../root/ca-cert.crt ../int/ca-cert.crt > cafile.pem’). Then use the following command ‘openssl verify -CAfile cafile user.crt’.
Hope this helps.
-Ryan Smith
Jakob Bohm
> Hello All, I'm trying to get a basic root CA setup with an intermediate CA
> to handle all the end user certificate signing.
>
> So far I've created a Root CA
> I created an intermediate CA and signed it's certificate with the Root CA
> I created an end user certificate and signed it with the intermediate CA.
>
> Now I want to be able to just import the Root CA and have all end user
> certificates be verified.
>
> I tried running:
> openssl verify -CAfile ../root/ca-cert.crt user.crt
>
> and it returns with
> error 20 at 0 depth lookup:unable to get local issuer certificate
>
> Thanks for any help.
>
(inclusive) need to be provided as input. It is your choice if
the intermediary cert is included in ca-cert.crt or in user.crt.
In a real application/protocol (such as SSL), the intermediary cert
would typically be included in the appropriate protocol or message
field. SSL/TLS puts the list of certificates in the "Certificate"
handshake message, S/MIME (CMS/PKCS#7) puts the list of certificates
in the "certificates" member of the SignedData ASN.1 structure.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Dr. Stephen Henson
> Hello All, I'm trying to get a basic root CA setup with an intermediate CA
> to handle all the end user certificate signing.
>
> So far I've created a Root CA
> I created an intermediate CA and signed it's certificate with the Root CA
> I created an end user certificate and signed it with the intermediate CA.
>
> Now I want to be able to just import the Root CA and have all end user
> certificates be verified.
>
> I tried running:
> openssl verify -CAfile ../root/ca-cert.crt user.crt
>
> and it returns with
> error 20 at 0 depth lookup:unable to get local issuer certificate
>
In a real world situation the user certificate and all intermediates would be
presented and only the root CA trusted. With the verify command you'd do:
openssl verify -CAfile root.pem -untrusted intermediate.pem user.pem
where "intermediate.pem" has any intermediate CA certificates concatenated
together, just the one in your case.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
Hugo Garza
On 15-07-2010 21:26, Hugo Garza wrote:
Hello All, I'm trying to get a basic root CA setup with an intermediate CA
to handle all the end user certificate signing.
So far I've created a Root CA
I created an intermediate CA and signed it's certificate with the Root CA
I created an end user certificate and signed it with the intermediate CA.
Now I want to be able to just import the Root CA and have all end user
certificates be verified.
I tried running:
openssl verify -CAfile ../root/ca-cert.crt user.crt
and it returns with
error 20 at 0 depth lookup:unable to get local issuer certificate
Thanks for any help.
All of the certificates in the chain from user.crt to ca-cert.crt (inclusive) need to be provided as input. It is your choice if
the intermediary cert is included in ca-cert.crt or in user.crt.
In a real application/protocol (such as SSL), the intermediary cert
would typically be included in the appropriate protocol or message
field. SSL/TLS puts the list of certificates in the "Certificate"
handshake message, S/MIME (CMS/PKCS#7) puts the list of certificates
in the "certificates" member of the SignedData ASN.1 structure.
Hugo Garza
On Thu, Jul 15, 2010, Hugo Garza wrote:
> Hello All, I'm trying to get a basic root CA setup with an intermediate CA
> to handle all the end user certificate signing.
>
> So far I've created a Root CA
> I created an intermediate CA and signed it's certificate with the Root CA
> I created an end user certificate and signed it with the intermediate CA.
>
> Now I want to be able to just import the Root CA and have all end user
> certificates be verified.
>
> I tried running:
> openssl verify -CAfile ../root/ca-cert.crt user.crt
>
> and it returns with
> error 20 at 0 depth lookup:unable to get local issuer certificate
>
In a real world situation the user certificate and all intermediates would be
presented and only the root CA trusted. With the verify command you'd do:
openssl verify -CAfile root.pem -untrusted intermediate.pem user.pem
where "intermediate.pem" has any intermediate CA certificates concatenated
together, just the one in your case.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
Patrick Patterson
On July 16, 2010 02:31:53 pm Hugo Garza wrote:
> Hello Stephen, thank you for your comment that made the verification pass.
> But I'm a bit confused now.
>
> Just as a demo I moved these certs to my windows computer and installed the
> Root CA into my current user's Trusted Root Certificate Authorities folder
> using the MMC certificates snap in. Then I double click the inter CA
> certificate and Windows says it's OK. But when I double click the users
> certificate it says that it doesn't have enough information to verify the
> certificate.
>
> This is strange to me, because I can visit lots of websites that I know I
> don't have the intermediate CA installed it all works. For instance I can
> visit gmail and it says the root is Class 3 Public Primary Certification
> Authority by Verisign, and I can see that it's installed in my
> windows Trusted Root Certificate Authorities. The next certificate is
> Thawte SGC CA which is no where in my Trusted Root Certificate Authorities
> and finally is mail.google.com and windows says it's valid.
>
> Am I missing some extension when I create the end user certificate or what
> part of this puzzle is escaping my grasp.
>
Yes, you probably are missing the "AuthorityInformationAccess" extension in
the client certificate. This is an X.509 extension that contains, in the
"caIssuers" field, a URI that points to a location that an application that is
performing path construction may use to download the certificate for that
certificate's issuer. Inside of THAT certificate, there should be another
"AuthorityInformationAccess" extension which points to THAT Certificates
issuer all the way up the line to a self signed certificate that SHOULD NOT
have an AIA field.
For a full description, including the formatting of the certificate to be
downloaded, please see RFC5280.
As an aside, even with an AIA extension, the OpenSSL library (and by
extension, the command line tool) will NOT fetch intermediate certificates for
you (which is why you needed to put both certs in the cafile.pem) - this is
because it doesn't have any code to be an HTTP or LDAP client (probably a good
thing:). If you want to do path construction, you have to write an application
that uses OpenSSL for the crypto, but your application has to handle all of
the network access.
Have fun!
--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
Dr. Stephen Henson
> Hello Stephen, thank you for your comment that made the verification pass.
> But I'm a bit confused now.
>
> Just as a demo I moved these certs to my windows computer and installed the
> Root CA into my current user's Trusted Root Certificate Authorities folder
> using the MMC certificates snap in. Then I double click the inter CA
> certificate and Windows says it's OK. But when I double click the users
> certificate it says that it doesn't have enough information to verify the
> certificate.
>
> This is strange to me, because I can visit lots of websites that I know I
> don't have the intermediate CA installed it all works. For instance I can
> visit gmail and it says the root is Class 3 Public Primary Certification
> Authority by Verisign, and I can see that it's installed in my
> windows Trusted Root Certificate Authorities. The next certificate is Thawte
> SGC CA which is no where in my Trusted Root Certificate Authorities and
> finally is mail.google.com and windows says it's valid.
>
> Am I missing some extension when I create the end user certificate or what
> part of this puzzle is escaping my grasp.
>
What you are missing is that when you visit a website it doesn't just send the
user certificate back it also sends intermediate CAs too, the root being
optional.
What that means is that as long as you have the correct root trusted the
certificates presented are sufficient to verify the end entity certificate.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
Patrick Patterson
> What? No plug for pathfinder?
>
>
Heh - Given that he asked why Windows wasn't pulling it, there was no need...it's a straight AIA question. however, if he was asking how to get Apache to recognize it (or any of the other various applications that have patches available) then I would have (one would still require the AIA field, though) :)
Have fun.
Patrick.
> -----Original Message-----
> From: owner-ope...@openssl.org on behalf of Patrick Patterson
> Sent: Fri 7/16/2010 11:58 AM
> To: openss...@openssl.org
> Subject: Re: Help creating certificate chain
>
> Hello Hugo:
>
> On July 16, 2010 02:31:53 pm Hugo Garza wrote:
>> Hello Stephen, thank you for your comment that made the verification pass.
>> But I'm a bit confused now.
>>
>> Just as a demo I moved these certs to my windows computer and installed the
>> Root CA into my current user's Trusted Root Certificate Authorities folder
>> using the MMC certificates snap in. Then I double click the inter CA
>> certificate and Windows says it's OK. But when I double click the users
>> certificate it says that it doesn't have enough information to verify the
>> certificate.
>>
>> This is strange to me, because I can visit lots of websites that I know I
>> don't have the intermediate CA installed it all works. For instance I can
>> visit gmail and it says the root is Class 3 Public Primary Certification
>> Authority by Verisign, and I can see that it's installed in my
>> windows Trusted Root Certificate Authorities. The next certificate is
>> Thawte SGC CA which is no where in my Trusted Root Certificate Authorities
>> and finally is mail.google.com and windows says it's valid.
>>
>> Am I missing some extension when I create the end user certificate or what
>> part of this puzzle is escaping my grasp.
>>
> Yes, you probably are missing the "AuthorityInformationAccess" extension in
> the client certificate. This is an X.509 extension that contains, in the
> "caIssuers" field, a URI that points to a location that an application that is
> performing path construction may use to download the certificate for that
> certificate's issuer. Inside of THAT certificate, there should be another
> "AuthorityInformationAccess" extension which points to THAT Certificates
> issuer all the way up the line to a self signed certificate that SHOULD NOT
> have an AIA field.
>
> For a full description, including the formatting of the certificate to be
> downloaded, please see RFC5280.
>
> As an aside, even with an AIA extension, the OpenSSL library (and by
> extension, the command line tool) will NOT fetch intermediate certificates for
> you (which is why you needed to put both certs in the cafile.pem) - this is
> because it doesn't have any code to be an HTTP or LDAP client (probably a good
> thing:). If you want to do path construction, you have to write an application
> that uses OpenSSL for the crypto, but your application has to handle all of
> the network access.
>
> Have fun!
>
> --
> Patrick Patterson
> President and Chief PKI Architect,
> Carillon Information Security Inc.
> http://www.carillon.ca
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openss...@openssl.org
> Automated List Manager majo...@openssl.org
>
> <winmail.dat>
depinder singh deol
Hello All, I'm trying to get a basic root CA setup with an intermediate CA to handle all the end user certificate signing.So far I've created a Root CAI created an intermediate CA and signed it's certificate with the Root CAI created an end user certificate and signed it with the intermediate CA.Now I want to be able to just import the Root CA and have all end user certificates be verified.I tried running:openssl verify -CAfile ../root/ca-cert.crt user.crtand it returns witherror 20 at 0 depth lookup:unable to get local issuer certificate
Thanks for any help.
Hugo Garza
ashish2881
So far I've create a Root CA
I created an end user certificate and signed it with the intermediate CA.
--
View this message in context: http://openssl.6102.n7.nabble.com/Help-creating-certificate-chain-tp28768p44047.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.