johnsonpaul1014
asked on
Problem with Verisign client certificate
I am having a problem running my Apache 2.2 web server on Windows with OpenSSL support. I am trying to use a client certificate to verify the identity of my users. The problem appears to occur with the openssl verify command. When I run it from the command line, I get an error 20, saying that the local issuer could not be verified. I think I just need the correct CA root certificate for the digital ID of my client certificate to put in my trusted issuer directory. I tried just downloading the root certificates from Verisign but I couldn’t get them to work. Here is the full text of the client certificate:
Bag Attributes
localKeyID: 01 00 00 00
Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0
friendlyName: a9ad9834d71b63914335f38516 82df9b_2c6 86913-d616 -41b2-9f35 -f3d32c9fb c6f
Key Attributes
X509v3 Key Usage: 10
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,A86BA6FF08FC1 D1D
DVEAPKpKyPBZU/jJCOoC9xnxdG BsUiK94rcv pTw9Hr36Y6 KuRG4OB2OA kSfW4JBu
rzfTYLdEbBoEysyVlR9I+9AVLI 0Vp5+QTlG9 pzeSTuolXP cnCfRjF4Rq rzPQjNE3
aFf8xAiPFJu3ScBKsD8kzgH9Sr zcuwRcucbZ PlM4PLgw2K /mqngPyPSA EtEbLD3b
uJtYFW2bb8w7y3+S5bboo/KuWb HUqJoH5k0k aCxaAQRI0m +Lg7S2pz6S JZKRMUBF
u+H4g6JgOBlOfVo1I8zSJh9swu fAwEUAH5Gx POsWnAon9U 7nv6jVyJ4j EjViAdju
l1vtY+toQH08A7tism5rSu1Hnq r1hYfR2F6J /ybNR70xpv 39Ox7wtOdm bh0X4IW5
HbCaGNoAedoYWtislYG8+K1Lcq L0CUu4cVsx EaZmTuACmV 2D2v+WWiLx CVcZNIhM
3jitqSnOqCV2gssh28BN4fLClk nTafDfpI1b ARwP5fJJCB oVNqqhWxlp nT6QYvGD
me4dAhNyTMMEE7KIBGD7VfiKhH 8rof0cbG0B HQ0PIUqPza /xiAd7NwkB 7yFsuspK
scJpc/2c6jIqECwfTKqKFaP7pA zZViEry1jM FnXncpG7lD UQkNKODoKc PLJvlLKZ
k55kPKSOs6t1tH/x9wcIXZwRDa EU/c8fjaka tL6xLNTiJA xzu2fpn/zq tI3L1+uz
NuFFm3qcEVM5/QbVWmY+gSLTW4 VGm+grq7Fk IFta0D9NFW i1ggfXVek4 g3KZF4Z1
+B8fROVWEBvC4ms1TfvY/VJpej duNbhu3Pyt WRbWeNw9zd XJSU/50Q==
-----END RSA PRIVATE KEY-----
Bag Attributes
localKeyID: 01 00 00 00
subject=/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98/OU=Pers ona Not Validated/OU=Digital ID Class 1 - Microsoft Full Service/CN=jg shudy/emailAddress=jgshudy @coreenerg yservices. com
issuer=/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)98/CN=Veri Sign Class 1 CA Individual Subscriber-Persona Not Validated
-----BEGIN CERTIFICATE-----
MIIEJDCCA42gAwIBAgIQKfWSoY 2yZkIQsyqP xhcEVDANBg kqhkiG9w0B AQUFADCB
zDEXMBUGA1UEChMOVmVyaVNpZ2 4sIEluYy4x HzAdBgNVBA sTFlZlcmlT aWduIFRy
dXN0IE5ldHdvcmsxRjBEBgNVBA sTPXd3dy52 ZXJpc2lnbi 5jb20vcmVw b3NpdG9y
eS9SUEEgSW5jb3JwLiBCeSBSZW YuLExJQUIu TFREKGMpOT gxSDBGBgNV BAMTP1Zl
cmlTaWduIENsYXNzIDEgQ0EgSW 5kaXZpZHVh bCBTdWJzY3 JpYmVyLVBl cnNvbmEg
Tm90IFZhbGlkYXRlZDAeFw0wNj AyMjIwMDAw MDBaFw0wNz AyMjIyMzU5 NTlaMIIB
GjEXMBUGA1UEChMOVmVyaVNpZ2 4sIEluYy4x HzAdBgNVBA sTFlZlcmlT aWduIFRy
dXN0IE5ldHdvcmsxRjBEBgNVBA sTPXd3dy52 ZXJpc2lnbi 5jb20vcmVw b3NpdG9y
eS9SUEEgSW5jb3JwLiBieSBSZW YuLExJQUIu TFREKGMpOT gxHjAcBgNV BAsTFVBl
cnNvbmEgTm90IFZhbGlkYXRlZD E0MDIGA1UE CxMrRGlnaX RhbCBJRCBD bGFzcyAx
IC0gTWljcm9zb2Z0IEZ1bGwgU2 VydmljZTER MA8GA1UEAx QIamcgc2h1 ZHkxLTAr
BgkqhkiG9w0BCQEWHmpnc2h1ZH lAY29yZWVu ZXJneXNlcn ZpY2VzLmNv bTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgY kCgYEAt9WB v9/n/U1GpE 7E3IKz+U9g dr3FwXd7
9d9c0tFoVfmREV5+dDBtIknX6+ eedsmkY5Fr JydzNFBVtq rLkbms7+fs xfwFX3qd
oTqEZ2IrJsumwxrM6OZax5d/sl 8CuLOzhpv8 5wLBejxwiN 9l5taEtl5g ycEyEP1I
UEpiegEmmZ0CAwEAAaOBtTCBsj AJBgNVHRME AjAAMEQGA1 UdIAQ9MDsw OQYLYIZI
AYb4RQEHFwMwKjAoBggrBgEFBQ cCARYcaHR0 cHM6Ly93d3 cudmVyaXNp Z24uY29t
L3JwYTALBgNVHQ8EBAMCBaAwHQ YDVR0lBBYw FAYIKwYBBQ UHAwQGCCsG AQUFBwMC
MDMGA1UdHwQsMCowKKAmoCSGIm h0dHA6Ly9j cmwudmVyaX NpZ24uY29t L2NsYXNz
MS5jcmwwDQYJKoZIhvcNAQEFBQ ADgYEAGjUf MOfE2Hxz64 0EoYffa+Zj xhOOPf4L
zkDY6zexsdJqfFbna4O5i6r0v6 U5E7wLdmjh UfW99aVXYH Vb7uS9JRsg YA4zSXX3
npLHdUiWxAGma5elxTtQi0pZIn EGQy+cxATl gRFTQecem/ nwLMn24ALK u+N2fSnS
XKS/rxUztyc=
-----END CERTIFICATE-----
Bag Attributes
localKeyID: 01 00 00 00
Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0
friendlyName: a9ad9834d71b63914335f38516
Key Attributes
X509v3 Key Usage: 10
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,A86BA6FF08FC1
DVEAPKpKyPBZU/jJCOoC9xnxdG
rzfTYLdEbBoEysyVlR9I+9AVLI
aFf8xAiPFJu3ScBKsD8kzgH9Sr
uJtYFW2bb8w7y3+S5bboo/KuWb
u+H4g6JgOBlOfVo1I8zSJh9swu
l1vtY+toQH08A7tism5rSu1Hnq
HbCaGNoAedoYWtislYG8+K1Lcq
3jitqSnOqCV2gssh28BN4fLClk
me4dAhNyTMMEE7KIBGD7VfiKhH
scJpc/2c6jIqECwfTKqKFaP7pA
k55kPKSOs6t1tH/x9wcIXZwRDa
NuFFm3qcEVM5/QbVWmY+gSLTW4
+B8fROVWEBvC4ms1TfvY/VJpej
-----END RSA PRIVATE KEY-----
Bag Attributes
localKeyID: 01 00 00 00
subject=/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98/OU=Pers
issuer=/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)98/CN=Veri
-----BEGIN CERTIFICATE-----
MIIEJDCCA42gAwIBAgIQKfWSoY
zDEXMBUGA1UEChMOVmVyaVNpZ2
dXN0IE5ldHdvcmsxRjBEBgNVBA
eS9SUEEgSW5jb3JwLiBCeSBSZW
cmlTaWduIENsYXNzIDEgQ0EgSW
Tm90IFZhbGlkYXRlZDAeFw0wNj
GjEXMBUGA1UEChMOVmVyaVNpZ2
dXN0IE5ldHdvcmsxRjBEBgNVBA
eS9SUEEgSW5jb3JwLiBieSBSZW
cnNvbmEgTm90IFZhbGlkYXRlZD
IC0gTWljcm9zb2Z0IEZ1bGwgU2
BgkqhkiG9w0BCQEWHmpnc2h1ZH
BgkqhkiG9w0BAQEFAAOBjQAwgY
9d9c0tFoVfmREV5+dDBtIknX6+
oTqEZ2IrJsumwxrM6OZax5d/sl
UEpiegEmmZ0CAwEAAaOBtTCBsj
AYb4RQEHFwMwKjAoBggrBgEFBQ
L3JwYTALBgNVHQ8EBAMCBaAwHQ
MDMGA1UdHwQsMCowKKAmoCSGIm
MS5jcmwwDQYJKoZIhvcNAQEFBQ
zkDY6zexsdJqfFbna4O5i6r0v6
npLHdUiWxAGma5elxTtQi0pZIn
XKS/rxUztyc=
-----END CERTIFICATE-----
ASKER
I just downloaded the root certificates via ftp from their website. I got the CA1, 2, 3 and 4 certificates in CER format in a zip file, and I tried using those with the openssl verify command by using the -CAfile parameter. This is the same as PEM format, isn't it? It was in ASCII format, so I hope it's okay. This may be the root of my problem. I am still new at this SSL stuff.
The certificate isn't double spaced in the actual .pem file. It just showed up that way in my question for some reason because I copied it from an email.
I don't think there is anything wrong with the certificate I put in the question. I just don't know what CA certificate I need to get openssl to think that Verisign is a trusted source. It has to match all the /OU information.
The certificate isn't double spaced in the actual .pem file. It just showed up that way in my question for some reason because I copied it from an email.
I don't think there is anything wrong with the certificate I put in the question. I just don't know what CA certificate I need to get openssl to think that Verisign is a trusted source. It has to match all the /OU information.
So, you "zipped" and thus compressed a Certificate?
I'm not sure, but I don't think you can zip or compress a certificate; that may, indeed, be the cause of the problem.
SourceForge has a good writeup on acquiring "keys" which are what certificates are. Verisign should be there by default as a trusted source. Check your site certificates and see if it's there as a trusted source [Certificate should show from whom, valid, etc., in something like "details" of the certificate in question].
But, uh, I don't think you can zip and compress root certificates.
I'm not sure, but I don't think you can zip or compress a certificate; that may, indeed, be the cause of the problem.
SourceForge has a good writeup on acquiring "keys" which are what certificates are. Verisign should be there by default as a trusted source. Check your site certificates and see if it's there as a trusted source [Certificate should show from whom, valid, etc., in something like "details" of the certificate in question].
But, uh, I don't think you can zip and compress root certificates.
ASKER
I downloaed the zip file from the site, but I did uncompress it before I tried using the certficates with the verify command. The command parses all four of the CA certificates I downloaded correctly and they are valid, because I don't get the "unable to load certificate" error. They just aren't the right ones to validate the certificate I have. I am going to try and recompile the source and see if I can do some debugging myself.
What is the link on SourceForge for this writeup?
What is the link on SourceForge for this writeup?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I don't figure why you certificate is double spaced. Also, there can be no word wrap on a certificate, and you cannot use a program to edit it that uses the wrong carriage return/line feed interpretation.
But the last line says it all "By Ref.,LIAB.LTD(c)98/CN=Veri