Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1397
  • Last Modified:

Problem with Verisign client certificate

I am having a problem running my Apache 2.2 web server on Windows with OpenSSL support.  I am trying to use a client certificate to verify the identity of my users.  The problem appears to occur with the openssl verify command.  When I run it from the command line, I get an error 20, saying that the local issuer could not be verified.  I think I just need the correct CA root certificate for the digital ID of my client certificate to put in my trusted issuer directory.  I tried just downloading the root certificates from Verisign but I couldn’t get them to work.  Here is the full text of the client certificate:

 

Bag Attributes

    localKeyID: 01 00 00 00

    Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0

    friendlyName: a9ad9834d71b63914335f3851682df9b_2c686913-d616-41b2-9f35-f3d32c9fbc6f

Key Attributes

    X509v3 Key Usage: 10

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,A86BA6FF08FC1D1D

 

DVEAPKpKyPBZU/jJCOoC9xnxdGBsUiK94rcvpTw9Hr36Y6KuRG4OB2OAkSfW4JBu

rzfTYLdEbBoEysyVlR9I+9AVLI0Vp5+QTlG9pzeSTuolXPcnCfRjF4RqrzPQjNE3

aFf8xAiPFJu3ScBKsD8kzgH9SrzcuwRcucbZPlM4PLgw2K/mqngPyPSAEtEbLD3b

uJtYFW2bb8w7y3+S5bboo/KuWbHUqJoH5k0kaCxaAQRI0m+Lg7S2pz6SJZKRMUBF

u+H4g6JgOBlOfVo1I8zSJh9swufAwEUAH5GxPOsWnAon9U7nv6jVyJ4jEjViAdju

l1vtY+toQH08A7tism5rSu1Hnqr1hYfR2F6J/ybNR70xpv39Ox7wtOdmbh0X4IW5

HbCaGNoAedoYWtislYG8+K1LcqL0CUu4cVsxEaZmTuACmV2D2v+WWiLxCVcZNIhM

3jitqSnOqCV2gssh28BN4fLClknTafDfpI1bARwP5fJJCBoVNqqhWxlpnT6QYvGD

me4dAhNyTMMEE7KIBGD7VfiKhH8rof0cbG0BHQ0PIUqPza/xiAd7NwkB7yFsuspK

scJpc/2c6jIqECwfTKqKFaP7pAzZViEry1jMFnXncpG7lDUQkNKODoKcPLJvlLKZ

k55kPKSOs6t1tH/x9wcIXZwRDaEU/c8fjakatL6xLNTiJAxzu2fpn/zqtI3L1+uz

NuFFm3qcEVM5/QbVWmY+gSLTW4VGm+grq7FkIFta0D9NFWi1ggfXVek4g3KZF4Z1

+B8fROVWEBvC4ms1TfvY/VJpejduNbhu3PytWRbWeNw9zdXJSU/50Q==

-----END RSA PRIVATE KEY-----

Bag Attributes

    localKeyID: 01 00 00 00

subject=/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98/OU=Persona Not Validated/OU=Digital ID Class 1 - Microsoft Full Service/CN=jg shudy/emailAddress=jgshudy@coreenergyservices.com

issuer=/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)98/CN=VeriSign Class 1 CA Individual Subscriber-Persona Not Validated

-----BEGIN CERTIFICATE-----

MIIEJDCCA42gAwIBAgIQKfWSoY2yZkIQsyqPxhcEVDANBgkqhkiG9w0BAQUFADCB

zDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRy

dXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9y

eS9SUEEgSW5jb3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1Zl

cmlTaWduIENsYXNzIDEgQ0EgSW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEg

Tm90IFZhbGlkYXRlZDAeFw0wNjAyMjIwMDAwMDBaFw0wNzAyMjIyMzU5NTlaMIIB

GjEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRy

dXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9y

eS9SUEEgSW5jb3JwLiBieSBSZWYuLExJQUIuTFREKGMpOTgxHjAcBgNVBAsTFVBl

cnNvbmEgTm90IFZhbGlkYXRlZDE0MDIGA1UECxMrRGlnaXRhbCBJRCBDbGFzcyAx

IC0gTWljcm9zb2Z0IEZ1bGwgU2VydmljZTERMA8GA1UEAxQIamcgc2h1ZHkxLTAr

BgkqhkiG9w0BCQEWHmpnc2h1ZHlAY29yZWVuZXJneXNlcnZpY2VzLmNvbTCBnzAN

BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAt9WBv9/n/U1GpE7E3IKz+U9gdr3FwXd7

9d9c0tFoVfmREV5+dDBtIknX6+eedsmkY5FrJydzNFBVtqrLkbms7+fsxfwFX3qd

oTqEZ2IrJsumwxrM6OZax5d/sl8CuLOzhpv85wLBejxwiN9l5taEtl5gycEyEP1I

UEpiegEmmZ0CAwEAAaOBtTCBsjAJBgNVHRMEAjAAMEQGA1UdIAQ9MDswOQYLYIZI

AYb4RQEHFwMwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29t

L3JwYTALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMC

MDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL2NsYXNz

MS5jcmwwDQYJKoZIhvcNAQEFBQADgYEAGjUfMOfE2Hxz640EoYffa+ZjxhOOPf4L

zkDY6zexsdJqfFbna4O5i6r0v6U5E7wLdmjhUfW99aVXYHVb7uS9JRsgYA4zSXX3

npLHdUiWxAGma5elxTtQi0pZInEGQy+cxATlgRFTQecem/nwLMn24ALKu+N2fSnS

XKS/rxUztyc=

-----END CERTIFICATE-----
0
johnsonpaul1014
Asked:
johnsonpaul1014
  • 3
  • 2
1 Solution
 
GinEricCommented:
What did you download them with?  If any ftp, copy & paste, or other than standard binary was used, it's possible that your computer is changing the value of the certificate.

I don't figure why you certificate is double spaced.  Also, there can be no word wrap on a certificate, and you cannot use a program to edit it that uses the wrong carriage return/line feed interpretation.

But the last line says it all "By Ref.,LIAB.LTD(c)98/CN=VeriSign Class 1 CA Individual Subscriber-Persona Not Validated"
0
 
johnsonpaul1014Author Commented:
I just downloaded the root certificates via ftp from their website.  I got the CA1, 2, 3 and 4 certificates in CER format in a zip file, and I tried using those with the openssl verify command by using the -CAfile parameter.  This is the same as PEM format, isn't it?  It was in ASCII format, so I hope it's okay.  This may be the root of my problem.  I am still new at this SSL stuff.

The certificate isn't double spaced in the actual .pem file.  It just showed up that way in my question for some reason because I copied it from an email.

I don't think there is anything wrong with the certificate I put in the question.  I just don't know what CA certificate I need to get openssl to think that Verisign is a trusted source.  It has to match all the /OU information.
0
 
GinEricCommented:
So, you "zipped" and thus compressed a Certificate?

I'm not sure, but I don't think you can zip or compress a certificate; that may, indeed, be the cause of the problem.

SourceForge has a good writeup on acquiring "keys" which are what certificates are.  Verisign should be there by default as a trusted source.  Check your site certificates and see if it's there as a trusted source [Certificate should show from whom, valid, etc., in something like "details" of the certificate in question].

But, uh, I don't think you can zip and compress root certificates.
0
 
johnsonpaul1014Author Commented:
I downloaed the zip file from the site, but I did uncompress it before I tried using the certficates with the verify command.  The command parses all four of the CA certificates I downloaded correctly and they are valid, because I don't get the "unable to load certificate" error.  They just aren't the right ones to validate the certificate I have.  I am going to try and recompile the source and see if I can do some debugging myself.

What is the link on SourceForge for this writeup?
0
 
GinEricCommented:
An explanation of keys:

https://sourceforge.net/docs/F02/en/#top

What a key should look like:

https://sourceforge.net/docs/F02/en/#key_examples

I forget where the root certificates are shown for the site, but each site has such root certificates and ssh operates on a public and private key pair.  I wouldn't try to regenerate the key pair without reading all you can on it and knowing exactly what you're doing, particularly for Windows.

Notice, again, that your certificate [or key] is double-spaced; this simply appears to be wrong.  In fact, the certificate is not breakable over either line feeds or carriage returns, but must remain a single string on a sinlge line, even though it is shown on multiple lines in the examples.  Secondly, there is also a rule about the last character and what it must or must not be for the certificate [or key] to be valid.

https://sourceforge.net/docs/F02/en/#regen_public_key

about lost certificates and keys.

you can also use your Help & Support to search for "certificates" and read what it has to say there, more than one subject.

It's not much different from the SourceForge help, except that it is more gui oriented for Windows.

Validating your certificate means basically paying for one and sending the Issuing Certificate Authority the credentials that prove you are who you say you are.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now