Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: openssl fails to download certificate
Special Forums Cybersecurity openssl fails to download certificate Post 302566839 by mohtashims on Friday 21st of October 2011 08:52:44 AM
Old 10-21-2011
Question openssl fails to download certificate
I tried openssl to download a remote cert on my181.svr.us.cyber.net
Below are the 3 steps to generate self sign certificate.

1)To generate keys:
Code:
/opt/boksm/lib/openssl genrsa -des3 -out server2.key 2048 -config /usr/sfw/lib/webmin/acl/openssl.cnf

2)To generate CSR
Code:
/opt/boksm/lib/openssl req -new -key server2.key -out server2.csr -config /usr/sfw/lib/webmin/acl/openssl.cnf

3)To generate certificate
Code:
/opt/boksm/lib/openssl x509 -req -days 365 -in server2.csr -signkey server2.key -out server2.crt

And then used
Code:
/opt/boksm/lib/openssl s_client -connect my181.svr.us.cyber.net:12201 -key server2.key -cert server2.crt -CAfile ca.crt

To connect
Code:
/opt/boksm/lib/openssl s_client -connect my181.svr.us.cyber.net:12201 -
key server2.key -cert server2.crt -CAfile ca.crt

Code:
Enter pass phrase for server2.key: 15959:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:765: 15959:error:0B084009:x509 certificate routines:X509_load_cert_crl_file:PEM lib:by_file.c:280: CONNECTED(00000004) depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 verify error:num=20:unable to get local issuer certificate verify return:0 15959:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1060:SSL alert number 48 15959:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

Not sure what I am doing wrong.

Can you please help figure out?
 

10 More Discussions You Might Find Interesting

1. Forum Support Area for Unregistered Users & Account Problems

Unix Certificate

TO WHOM IT MAY CONCERN: I am Ayanda Fuzile, I would like to request my UNIX Certificate, I completed my course in 2000. My email adress is removed, my postal adress is also removed. Kind Regards, Ayanda Fuzile (1 Reply)
Discussion started by: afuzile
1 Replies

2. UNIX for Advanced & Expert Users

decryption using digital certificate

A client application is encrypting a text using private key and sends through socket. My application(server written in c/c++,unix) receives the chiper-text through socket. I have client's digital certificate. now, how do I decrypt(may be using openssl library) this ciper-text using client's... (1 Reply)
Discussion started by: johnbach
1 Replies

3. Web Development

SSL certificate

Dear All Anyone know how to issue two different certification on apache virtualhost fyi i have one virtualhost eg 69.192.1.25:443 already signed with verisign how can i configure another virtualhost 69.192.1.25:443 which signing with another certificate which self signing. i search net not... (1 Reply)
Discussion started by: netxus
1 Replies

4. Cybersecurity

SSL certificate

Hi guys. I have some questions about ssl certificates. I looked at SSL providers and saw that they are providing 2 types of certificates: per server or per domain. my server host name is: srv1.example.com I have a smtp, imap, web server on this box. but all services accessed by different... (1 Reply)
Discussion started by: majid.merkava
1 Replies

5. UNIX for Dummies Questions & Answers

Is it possible to extract a certificate chain?

Hi all! I wanted to look at the key length of a certificate chain we have. When I do the conventional export command using keytool I will only get the end user cert. keytool -export -alias aliasname -file filename.cer -keystore keystorename The above code will only give me the end user... (2 Replies)
Discussion started by: Keepcase
2 Replies

6. UNIX for Advanced & Expert Users

Curl Command to download remote certificate

Hi, I have Apache running with the certificates installed. I need a "unix curl" command to download and display remote server certificate. Kindly help. Note: Apache has ""SSLVerifyClient require" set in its configuration. (3 Replies)
Discussion started by: mohtashims
3 Replies

7. Cybersecurity

Another Certificate question

Hey everyone, another question on certificate chains... When a site applies for an ssl certificate, do they have to apply to a root CA? or can they apply to a root, or one of the many smaller CA companies? Then once they obtain a cert from that smaller CA, the company gets it's cert signed by a... (1 Reply)
Discussion started by: Lost in Cyberia
1 Replies

8. UNIX for Advanced & Expert Users

Does vsftpd support user access with client certificate with priv/pub key + vsftpd certificate?

:rolleyes:I am trying to setup all certificate based client-server environment in Linux using vsftpd and curl with openssl. I would like to make a user access with vsftpd certificate and user own client certificate (self-signed) with private/public key. I don't see google posts about the my plan... (4 Replies)
Discussion started by: gogogo
4 Replies

9. Shell Programming and Scripting

Grep from a certificate

I can view the openSSL certifcate with this command openssl x509 -text -in myCertificate.pem I just wanted to see when the cert will expire only. The line which I want to read is, Not After : Jul 28 14:09:57 2015 GMT I tried using the grep command but it doesn't display anything. grep... (1 Reply)
Discussion started by: Loc
1 Replies

10. UNIX for Beginners Questions & Answers

How to check ssl certificate expiry date using openssl command?

hi how to check ssl certificate expiry date using openssl command try below code it is not working, any help echo q | openssl s_client -connect akamai.com:443 | openssl x509 -noout -enddate socket: Bad file descriptor connect:errno=9 unable to load certificate... (0 Replies)
Discussion started by: raghur77
0 Replies

LEARN ABOUT DEBIAN

puppet-cert

PUPPET-CERT(8)							   Puppet manual						    PUPPET-CERT(8)

NAME

       puppet-cert - Manage certificates and requests

SYNOPSIS

       Standalone certificate authority. Capable of generating certificates, but mostly used for signing certificate requests from puppet clients.

USAGE

       puppet cert action [-h|--help] [-V|--version] [-d|--debug] [-v|--verbose] [--digest digest] [host]

DESCRIPTION

       Because	the  puppet  master  service defaults to not signing client certificate requests, this script is available for signing outstanding
       requests. It can be used to list outstanding requests and then either sign them individually or sign all of them.

ACTIONS

       Every action except 'list' and 'generate' requires a hostname to act on, unless the '--all' option is set.

       clean  Revoke a host's certificate (if applicable) and remove all files related to that host from puppet cert's	storage.  This	is  useful
	      when  rebuilding	hosts, since new certificate signing requests will only be honored if puppet cert does not have a copy of a signed
	      certificate for that host. If '--all' is specified then all host certificates, both signed and unsigned, will be removed.

       fingerprint
	      Print the DIGEST (defaults to md5) fingerprint of a host's certificate.

       generate
	      Generate a certificate for a named client. A certificate/keypair will be generated for each client named on the command line.

       list   List outstanding certificate requests. If '--all' is specified, signed certificates are also listed, prefixed by '+', and revoked or
	      invalid certificates are prefixed by '-' (the verification outcome is printed in parenthesis).

       print  Print the full-text version of a host's certificate.

       revoke Revoke  the  certificate	of  a client. The certificate can be specified either by its serial number (given as a decimal number or a
	      hexadecimal number prefixed by '0x') or by its hostname. The certificate is revoked by adding it to the Certificate Revocation  List
	      given by the 'cacrl' configuration option. Note that the puppet master needs to be restarted after revoking certificates.

       sign   Sign an outstanding certificate request.

       verify Verify the named certificate against the local CA certificate.

OPTIONS

       Note  that  any	configuration  parameter  that's valid in the configuration file is also a valid long argument. For example, 'ssldir' is a
       valid configuration parameter, so you can specify '--ssldir directory' as an argument.

       See the configuration file documentation at http://docs.puppetlabs.com/references/stable/configuration.html for the full list of acceptable
       parameters. A commented list of all configuration options can also be generated by running puppet cert with '--genconfig'.

       --all  Operate on all items. Currently only makes sense with the 'sign', 'clean', 'list', and 'fingerprint' actions.

       --digest
	      Set  the	digest	for fingerprinting (defaults to md5). Valid values depends on your openssl and openssl ruby extension version, but
	      should contain at least md5, sha1, md2, sha256.

       --debug
	      Enable full debugging.

       --help Print this help message

       --verbose
	      Enable verbosity.

       --version
	      Print the puppet version number and exit.

EXAMPLE

       $ puppet cert list
       culain.madstop.com
       $ puppet cert sign culain.madstop.com

AUTHOR

       Luke Kanies

COPYRIGHT

       Copyright (c) 2011 Puppet Labs, LLC Licensed under the Apache 2.0 License

Puppet Labs, LLC						     June 2012							    PUPPET-CERT(8)
All times are GMT -4. The time now is 04:43 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy