From: owner-openssl-users@openssl.org On Behalf Of Rodney Simioni Sent: Friday, 21 June, 2013 11:38
Comments below.
From: owner-openssl-users@openssl.org On Behalf Of Dave Thompson Sent: Thursday, June 20, 2013 6:24 PM
<snip>
The wildcard.securesites.com.cert you posted 6/19 has Issuer: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA and AKI 42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A
GeoTrust doesn't publish that anywhere I can find but http://www.tbs-certificats.com/FAQ/en/603.html has <snip> which is an intermediate (not root) cert (verifiably) under Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA AKI C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E [[Rod's comment]] I need clarification please. The 'Root 2' is the root CA that I can download from geotrust and the one provided to me by my sysadmin is an intermeadiate?
and THAT is "Root 2" (one of several) on http://www.geotrust.com/resources/root-certificates/index.html (also in the standard Windows, Firefox, and Java truststores)
The cert from your admin is a *user* cert -- for *.securesites.com. The one I found on tbs-certificats is the relevant intermediate. "Root 2" from GeoTrust, or elsewhere, is the relevant root.
What command do I use to make sure the key/pair that was
sent to me is
compatible with GeoTrust's CA?
Either concatenate the intermediate above and the correct root (also in PEM) into one file say geotrustCAs.pem and do: openssl verify -CAfile geotrustCAs.pem yourcertfile [[Rod's comment]] Are you saying to concatenate the intermediate root and 'Root 2' which should be downloaded from geotrust?
The intermediate cert and the root cert. The intermediate is a CA cert, but is not a root cert (or root CA cert).
Or put them as separate files in some directory say mycadir, create hashnames using c_rehash or by hand, and do: openssl verify -CApath mycadir yourcertfile
(The first is usually easier.)
Assuming (as asked before) your opendlap is using openssl not MozillaNSS, to use a key&cert with an intermediate cert openssl requires either configuring a certchain file or putting the chain cert(s) in the truststore (even if the cert(s) or truststore aren't needed for verification). [[Rod's comment]] As you said before, I'm probably using MozNSS because of the errors I was getting several emails ago. What should I do? Should I remove MozNSS pkg? I've already Installed openssl-devel pkg.
Someone else suggested that and I was referring to them. Part of the errorlog you posted before looks consistent with MozNSS, but part looks consistent with openssl to me, so I can't tell. I expect openldap has a way to tell you which it uses, but I don't know how. 'devel' packages probably matter only if you are re-building openldap; are you?
If you are in fact using MozNSS, the same principles still apply as to which key and certficates you need where (server vs client), but the specifics of what file(s) you put them are entirely different, so ignore those parts of my instructions.
<snip>