johnsonpaul1014
asked on
Problem with Verisign client certificate
I am having a problem running my Apache 2.2 web server on Windows with OpenSSL support. I am trying to use a client certificate to verify the identity of my users. The problem appears to occur with the openssl verify command. When I run it from the command line, I get an error 20, saying that the local issuer could not be verified. I think I just need the correct CA root certificate for the digital ID of my client certificate to put in my trusted issuer directory. I tried just downloading the root certificates from Verisign but I couldn’t get them to work. Here is the full text of the client certificate:
Bag Attributes
localKeyID: 01 00 00 00
Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0
friendlyName: a9ad9834d71b63914335f38516
Key Attributes
X509v3 Key Usage: 10
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,A86BA6FF08FC1
DVEAPKpKyPBZU/jJCOoC9xnxdG
rzfTYLdEbBoEysyVlR9I+9AVLI
aFf8xAiPFJu3ScBKsD8kzgH9Sr
uJtYFW2bb8w7y3+S5bboo/KuWb
u+H4g6JgOBlOfVo1I8zSJh9swu
l1vtY+toQH08A7tism5rSu1Hnq
HbCaGNoAedoYWtislYG8+K1Lcq
3jitqSnOqCV2gssh28BN4fLClk
me4dAhNyTMMEE7KIBGD7VfiKhH
scJpc/2c6jIqECwfTKqKFaP7pA
k55kPKSOs6t1tH/x9wcIXZwRDa
NuFFm3qcEVM5/QbVWmY+gSLTW4
+B8fROVWEBvC4ms1TfvY/VJpej
-----END RSA PRIVATE KEY-----
Bag Attributes
localKeyID: 01 00 00 00
subject=/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98/OU=Pers
issuer=/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)98/CN=Veri
-----BEGIN CERTIFICATE-----
MIIEJDCCA42gAwIBAgIQKfWSoY
zDEXMBUGA1UEChMOVmVyaVNpZ2
dXN0IE5ldHdvcmsxRjBEBgNVBA
eS9SUEEgSW5jb3JwLiBCeSBSZW
cmlTaWduIENsYXNzIDEgQ0EgSW
Tm90IFZhbGlkYXRlZDAeFw0wNj
GjEXMBUGA1UEChMOVmVyaVNpZ2
dXN0IE5ldHdvcmsxRjBEBgNVBA
eS9SUEEgSW5jb3JwLiBieSBSZW
cnNvbmEgTm90IFZhbGlkYXRlZD
IC0gTWljcm9zb2Z0IEZ1bGwgU2
BgkqhkiG9w0BCQEWHmpnc2h1ZH
BgkqhkiG9w0BAQEFAAOBjQAwgY
9d9c0tFoVfmREV5+dDBtIknX6+
oTqEZ2IrJsumwxrM6OZax5d/sl
UEpiegEmmZ0CAwEAAaOBtTCBsj
AYb4RQEHFwMwKjAoBggrBgEFBQ
L3JwYTALBgNVHQ8EBAMCBaAwHQ
MDMGA1UdHwQsMCowKKAmoCSGIm
MS5jcmwwDQYJKoZIhvcNAQEFBQ
zkDY6zexsdJqfFbna4O5i6r0v6
npLHdUiWxAGma5elxTtQi0pZIn
XKS/rxUztyc=
-----END CERTIFICATE-----
Bag Attributes
localKeyID: 01 00 00 00
Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0
friendlyName: a9ad9834d71b63914335f38516
Key Attributes
X509v3 Key Usage: 10
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,A86BA6FF08FC1
DVEAPKpKyPBZU/jJCOoC9xnxdG
rzfTYLdEbBoEysyVlR9I+9AVLI
aFf8xAiPFJu3ScBKsD8kzgH9Sr
uJtYFW2bb8w7y3+S5bboo/KuWb
u+H4g6JgOBlOfVo1I8zSJh9swu
l1vtY+toQH08A7tism5rSu1Hnq
HbCaGNoAedoYWtislYG8+K1Lcq
3jitqSnOqCV2gssh28BN4fLClk
me4dAhNyTMMEE7KIBGD7VfiKhH
scJpc/2c6jIqECwfTKqKFaP7pA
k55kPKSOs6t1tH/x9wcIXZwRDa
NuFFm3qcEVM5/QbVWmY+gSLTW4
+B8fROVWEBvC4ms1TfvY/VJpej
-----END RSA PRIVATE KEY-----
Bag Attributes
localKeyID: 01 00 00 00
subject=/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98/OU=Pers
issuer=/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)98/CN=Veri
-----BEGIN CERTIFICATE-----
MIIEJDCCA42gAwIBAgIQKfWSoY
zDEXMBUGA1UEChMOVmVyaVNpZ2
dXN0IE5ldHdvcmsxRjBEBgNVBA
eS9SUEEgSW5jb3JwLiBCeSBSZW
cmlTaWduIENsYXNzIDEgQ0EgSW
Tm90IFZhbGlkYXRlZDAeFw0wNj
GjEXMBUGA1UEChMOVmVyaVNpZ2
dXN0IE5ldHdvcmsxRjBEBgNVBA
eS9SUEEgSW5jb3JwLiBieSBSZW
cnNvbmEgTm90IFZhbGlkYXRlZD
IC0gTWljcm9zb2Z0IEZ1bGwgU2
BgkqhkiG9w0BCQEWHmpnc2h1ZH
BgkqhkiG9w0BAQEFAAOBjQAwgY
9d9c0tFoVfmREV5+dDBtIknX6+
oTqEZ2IrJsumwxrM6OZax5d/sl
UEpiegEmmZ0CAwEAAaOBtTCBsj
AYb4RQEHFwMwKjAoBggrBgEFBQ
L3JwYTALBgNVHQ8EBAMCBaAwHQ
MDMGA1UdHwQsMCowKKAmoCSGIm
MS5jcmwwDQYJKoZIhvcNAQEFBQ
zkDY6zexsdJqfFbna4O5i6r0v6
npLHdUiWxAGma5elxTtQi0pZIn
XKS/rxUztyc=
-----END CERTIFICATE-----
ASKER
I just downloaded the root certificates via ftp from their website. I got the CA1, 2, 3 and 4 certificates in CER format in a zip file, and I tried using those with the openssl verify command by using the -CAfile parameter. This is the same as PEM format, isn't it? It was in ASCII format, so I hope it's okay. This may be the root of my problem. I am still new at this SSL stuff.
The certificate isn't double spaced in the actual .pem file. It just showed up that way in my question for some reason because I copied it from an email.
I don't think there is anything wrong with the certificate I put in the question. I just don't know what CA certificate I need to get openssl to think that Verisign is a trusted source. It has to match all the /OU information.
The certificate isn't double spaced in the actual .pem file. It just showed up that way in my question for some reason because I copied it from an email.
I don't think there is anything wrong with the certificate I put in the question. I just don't know what CA certificate I need to get openssl to think that Verisign is a trusted source. It has to match all the /OU information.
So, you "zipped" and thus compressed a Certificate?
I'm not sure, but I don't think you can zip or compress a certificate; that may, indeed, be the cause of the problem.
SourceForge has a good writeup on acquiring "keys" which are what certificates are. Verisign should be there by default as a trusted source. Check your site certificates and see if it's there as a trusted source [Certificate should show from whom, valid, etc., in something like "details" of the certificate in question].
But, uh, I don't think you can zip and compress root certificates.
I'm not sure, but I don't think you can zip or compress a certificate; that may, indeed, be the cause of the problem.
SourceForge has a good writeup on acquiring "keys" which are what certificates are. Verisign should be there by default as a trusted source. Check your site certificates and see if it's there as a trusted source [Certificate should show from whom, valid, etc., in something like "details" of the certificate in question].
But, uh, I don't think you can zip and compress root certificates.
ASKER
I downloaed the zip file from the site, but I did uncompress it before I tried using the certficates with the verify command. The command parses all four of the CA certificates I downloaded correctly and they are valid, because I don't get the "unable to load certificate" error. They just aren't the right ones to validate the certificate I have. I am going to try and recompile the source and see if I can do some debugging myself.
What is the link on SourceForge for this writeup?
What is the link on SourceForge for this writeup?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I don't figure why you certificate is double spaced. Also, there can be no word wrap on a certificate, and you cannot use a program to edit it that uses the wrong carriage return/line feed interpretation.
But the last line says it all "By Ref.,LIAB.LTD(c)98/CN=Veri