<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi,<br>
<br>
On 10/01/16 05:15, Anil Mathew wrote:<br>
</div>
<blockquote
cite="mid:CAJTG-bdqDYvXOB_YOEc1CUo_GM1_3mx_8DZcH_FtM+4DLVLYcA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-family:tahoma,sans-serif"><span
style="font-family:arial,sans-serif;font-size:12.8px">I am a
novice in terms of ssl and hence have limited knowledge in
this.</span><br
style="font-family:arial,sans-serif;font-size:12.8px">
<span style="font-family:arial,sans-serif;font-size:12.8px">Please
help</span><br
style="font-family:arial,sans-serif;font-size:12.8px">
<br style="font-family:arial,sans-serif;font-size:12.8px">
<span style="font-family:arial,sans-serif;font-size:12.8px">I
have been a given a jks file that has server certificate,
client</span><br
style="font-family:arial,sans-serif;font-size:12.8px">
<span style="font-family:arial,sans-serif;font-size:12.8px">certificate
and a key for the client certificate. I need to convert it
to</span><br
style="font-family:arial,sans-serif;font-size:12.8px">
<span style="font-family:arial,sans-serif;font-size:12.8px">pem
to use it in my application.</span><br
style="font-family:arial,sans-serif;font-size:12.8px">
<br style="font-family:arial,sans-serif;font-size:12.8px">
<span style="font-family:arial,sans-serif;font-size:12.8px">I
have converted a jks file to p12 and then to pem.</span><br
style="font-family:arial,sans-serif;font-size:12.8px">
<span style="font-family:arial,sans-serif;font-size:12.8px">However
when i try to verify i get the following error.</span><br
style="font-family:arial,sans-serif;font-size:12.8px">
<br style="font-family:arial,sans-serif;font-size:12.8px">
<span style="font-family:arial,sans-serif;font-size:12.8px">echo
|openssl verify -verbose -purpose sslclient -issuer_checks
-CApath</span><br
style="font-family:arial,sans-serif;font-size:12.8px">
<span style="font-family:arial,sans-serif;font-size:12.8px">C:\Data\Openssl\demoCA\certs
-CAfile client.pem client.pem</span><br
style="font-family:arial,sans-serif;font-size:12.8px">
<span style="font-family:arial,sans-serif;font-size:12.8px">client.pem:
/CN=cn/O=o/L=L/ST=il/C= c</span><br
style="font-family:arial,sans-serif;font-size:12.8px">
<span style="font-family:arial,sans-serif;font-size:12.8px">error
29 at 0 depth lookup:subject issuer mismatch</span><br
style="font-family:arial,sans-serif;font-size:12.8px">
<span style="font-family:arial,sans-serif;font-size:12.8px">/CN=cn/O=o/L=L/ST=il/C=
c</span><br
style="font-family:arial,sans-serif;font-size:12.8px">
<span style="font-family:arial,sans-serif;font-size:12.8px">error
29 at 0 depth lookup:subject issuer mismatch</span><br
style="font-family:arial,sans-serif;font-size:12.8px">
<span style="font-family:arial,sans-serif;font-size:12.8px">/CN=cn/O=o/L=L/ST=il/C=
c</span><br
style="font-family:arial,sans-serif;font-size:12.8px">
<span style="font-family:arial,sans-serif;font-size:12.8px">error
29 at 0 depth lookup:subject issuer mismatch</span><br
style="font-family:arial,sans-serif;font-size:12.8px">
<span style="font-family:arial,sans-serif;font-size:12.8px">/CN=cn/O=o/L=L/ST=il/C=
c</span><br
style="font-family:arial,sans-serif;font-size:12.8px">
<span style="font-family:arial,sans-serif;font-size:12.8px">error
29 at 0 depth lookup:subject issuer mismatch</span><br
style="font-family:arial,sans-serif;font-size:12.8px">
<span style="font-family:arial,sans-serif;font-size:12.8px">/CN=cn/O=o/L=L/ST=il/C=
c</span><br
style="font-family:arial,sans-serif;font-size:12.8px">
<span style="font-family:arial,sans-serif;font-size:12.8px">error
20 at 0 depth lookup:unable to get local issuer certificate</span><br>
</div>
</div>
</blockquote>
<br>
this could be a PRINTABLE_STRING / UTF8_STRING mismatch - can you
send me the certificates (not the key!) via private email and I will
have a look. There are some funky options you can add to openssl to
see how the certificate is composed.<br>
<br>
Also, it would help to list the exact version of openssl that you
are using (run 'openssl version').<br>
<br>
HTH,<br>
<br>
JJK<br>
<br>
</body>
</html>