On Tue, Sep 13, 2016 at 10:53:57PM +0800, zy_chongqing wrote:
> thanks for your reply. please kindly find the attached to get the certificate.
Firstly, you posted a 2048-bit certificate, which would not normally
fail with a "key too small" error, other than by failure to parse
the public key.
Secondly, when I start the OpenSSL 1.1.0 s_server(1) with the posted
certificate as the chain file, and a random 2048-bit RSA key as
the key file, the error is that the key and certificate don't match.
This means that at least s_server *is* able to parse the public
key. Are there some other certificates in the chain file, in
addition to the leaf certificate you posted? Please post all
the certificates (but not the private key) from that chain file.
$ openssl genrsa 2048 >> /tmp/cert.pem
Generating RSA private key, 2048 bit long modulus
........................................................................+++
...............+++
e is 65537 (0x010001)
$ openssl s_server -cert /tmp/cert.pem -accept 12345
Using default temp DH parameters
error setting private key
140735148003328:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:../openssl/crypto/x509/x509_cmp.c:295:
--
Viktor.
