[omniORB] SSL - unknown ca

Sébastien Bouchex sbouchex at infovista.com
Thu Nov 18 08:17:12 GMT 2004


Craig,

Sorry for the missunderstanding but that's what you did : The cert file
contains the 2 sections :

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

For your problem, the server checks the validity of the CA against its list
of valid CA (you'll find them in the CA folder of openssl), yours may not be
there.

So, add it (by putting the right name) and it should work.

Seb

-----Original Message-----
From: Burton, Craig [mailto:CBurton at verisign.com] 
Sent: Wednesday, November 17, 2004 5:49 PM
To: 'Sébastien Bouchex'; 'omniorb-list at omniorb-support.com'
Subject: RE: [omniORB] SSL - unknown ca

Hi Seb,

I'm not sure what you are recommending; which cert file must contain both
certificates?

According to the example, it seems that the client/server pem files
contained both their own private keys as well as their own (unique)
certificates:

Root.pem
    -----BEGIN CERTIFICATE-----
    MIIC/jCCArugAwIBAgIBADALBgcqhkjOOAQDBQAwZDELMAkGA1UEBhMCVVMxHzAd
    <snip>
    -----END CERTIFICATE-----

Client.pem
    -----BEGIN DSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: DES-EDE3-CBC,6C564F40B5DCAD05

    KX+eHTEYK7WnAyYm1Y3NFFeiw+wXhlfP2VM4xEw6udVfxBF2KXzsx8rqqGC8BYxs
    <snip>
    -----END DSA PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    MIIC8jCCAq8CAgELMAsGByqGSM44BAMFADBkMQswCQYDVQQGEwJVUzEfMB0GA1UE
    <snip>
    -----END CERTIFICATE-----

Server.pem
    -----BEGIN DSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: DES-EDE3-CBC,C5ED1167223F2F2F

    y5qH6Q0Nvb5SUcJEYYp6+V2YDK3uXwFsdEwz4YjvD73hwoE0kGpnxrvL1WNbftE9
    <snip>
    -----END DSA PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    MIIDDzCCAs2gAwIBAgICAQwwCwYHKoZIzjgEAwUAMGQxCzAJBgNVBAYTAlVTMR8w
    <snip>
    -----END CERTIFICATE-----

I do not observe that any of the cert files contain two certs - it is either
cert by itself, or key with cert, all unique.

I appreciate your advice, but could you be more specific as to which cert
file requires two concatenated certificates?

Thanks,
Craig


-----Original Message-----
From: omniorb-list-bounces at omniorb-support.com
[mailto:omniorb-list-bounces at omniorb-support.com] On Behalf Of Sébastien
Bouchex
Sent: Tuesday, November 16, 2004 11:14 PM
To: 'omniorb-list at omniorb-support.com'
Subject: RE: [omniORB] SSL - unknown ca


Hi,

Make sure that your certificate file contains the certificate of the server
and the certificate of the ca. You just need to concatenate both into a
single file and it should work.

Seb

-----Original Message-----
From: Burton, Craig [mailto:CBurton at verisign.com]
Sent: Wednesday, November 17, 2004 12:53 AM
To: omniORB
Subject: [omniORB] SSL - unknown ca

I am working through the ssl_echo example, and believe that everything is
compiled properly.  However, in attempting to generate a self-signed cert
along with client/server certs/keys, I have encountered the following
problem when the client attempts to work with the server (the following is
the server trace):

    omniORB: openSSL error detected in sslEndpoint::accept.
    Reason: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca

Anyone have any suggestions on how to make valid, self-signed certificates?

Thanks,
Craig

Craig Burton
VeriSign Communication Services

_______________________________________________
omniORB-list mailing list
omniORB-list at omniorb-support.com
http://www.omniorb-support.com/mailman/listinfo/omniorb-list

_______________________________________________
omniORB-list mailing list
omniORB-list at omniorb-support.com
http://www.omniorb-support.com/mailman/listinfo/omniorb-list



More information about the omniORB-list mailing list