[openssl-users] Jks converted to Pem error in veirfying

Jan Just Keijser janjust at nikhef.nl
Mon Jan 11 22:02:42 UTC 2016


Hi,

On 10/01/16 05:15, Anil Mathew wrote:
> I am a novice in terms of ssl and hence have limited knowledge in this.
> Please help
>
> I have been a given a jks file that has server certificate, client
> certificate and a key for the client certificate.  I need to convert it to
> pem to use it in my application.
>
> I have converted a jks file to p12 and then to pem.
> However when i try to verify i get the following error.
>
> echo |openssl verify -verbose -purpose sslclient -issuer_checks -CApath
> C:\Data\Openssl\demoCA\certs -CAfile client.pem client.pem
> client.pem: /CN=cn/O=o/L=L/ST=il/C= c
> error 29 at 0 depth lookup:subject issuer mismatch
> /CN=cn/O=o/L=L/ST=il/C= c
> error 29 at 0 depth lookup:subject issuer mismatch
> /CN=cn/O=o/L=L/ST=il/C= c
> error 29 at 0 depth lookup:subject issuer mismatch
> /CN=cn/O=o/L=L/ST=il/C= c
> error 29 at 0 depth lookup:subject issuer mismatch
> /CN=cn/O=o/L=L/ST=il/C= c
> error 20 at 0 depth lookup:unable to get local issuer certificate

this could be a PRINTABLE_STRING  / UTF8_STRING mismatch - can you send 
me the certificates (not the key!) via private email and I will have a 
look. There are some funky options you can add to openssl to see how the 
certificate is composed.

Also, it would help to list the exact version of openssl that you are 
using (run 'openssl version').

HTH,

JJK

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160111/8e97a82e/attachment.html>


More information about the openssl-users mailing list