Hi,
On 12/12/17 11:06, wizard2010@xxxxxxxxx wrote:
Hi.
Ok, I agree with you that the way I generate the certificates could
not be the right one, but now I change the way and the problem remains.
Please check the way I'm creating the certificates. I create a ROOT-CA
entity and a INTERMEDIATE-CA that is responsible to generate the
CLIENT and SERVER certificates.
This is the script [ https://pastebin.com/bw6j5AZz ] that I'm using to
create this small PKI example
you're changing the game as you go along -- now you want an intermediate
CA all of a sudden ;)
Still, with the certs you've sent this time I can get it to work, with a
minor code change: instead of using
SSL_CTX_use_certificate_chain_file(...)
I am using
SSL_CTX_use_certificate_chain_file(ssl_server_ctx, SSL_SERVER_RSA_CERT)
then make sure that RSA_CA_CRT points to root-ca.crt and that
SERVER_RSA_CRT points to server.pem, which contains the intermediate CA
as a stacked cert; on the client side, use your stacked client.pem file
as well. In that case I can connect to your server program using
openssl s_client -connect 127.0.0.1:4444 -CAfile root-ca.crt -cert
client.pem -key client.key
HTH,
JJK
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
