[openssl-users] Verifying a certificate chain

Yan Seiner yan at seiner.com
Sun Oct 4 11:58:42 UTC 2015 


On 10/04/2015 07:03 AM, Yan Seiner wrote:
> I am trying to figure out what I have done wrong.
>
> I have a certificate from PositiveSSL for my email server.  I have the 
> root certificate and the intermediate certs installed in /etc/ssl/certs/.
>
> However, I still cannot verify my certificate.  I can't figure out 
> what I have done wrong.  I've been wrestling with this for a long 
> time, and I am out of ideas.
>
> I am not that familiar with ssl certs - they usually "just work". This 
> one, however, is kicking my butt.
Never mind.  I tried one more thing and it worked.

I concatenated my cert onto the bundle and used that.

cat mail_seiner_com.pem PositiveSSL.pem > mail_seiner_com_bundle.pem

I'm not sure why neither exim4 nor dovecot would accept my cert and then 
a ca cert but rather wanted them all in one bundle.

It now validates correctly.

yan at yan-ThinkPad-W530:~$ openssl s_client -connect mail.seiner.com:587 
-starttls smtp -CApath /etc/ssl/certs
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN 
= AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA 
Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA 
Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = 
mail.seiner.com
verify return:1
---
Certificate chain
  0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.seiner.com
    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA 
Limited/CN=COMODO RSA Domain Validation Secure Server CA
  1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA 
Limited/CN=COMODO RSA Domain Validation Secure Server CA
    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA 
Limited/CN=COMODO RSA Certification Authority
  2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA 
Limited/CN=COMODO RSA Certification Authority
    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust 
External CA Root
  3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust 
External CA Root
    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust 
External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.seiner.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA 
Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 6936 bytes and written 698 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol  : TLSv1.2
     Cipher    : DHE-RSA-AES256-SHA256
     Session-ID: 
30ADE9920D1BD0EC207BC77EBDA03D44AC6EA22658A1FEF788061C5B3C14FB73
     Session-ID-ctx:
     Master-Key: 
F9AFA07FD0D81D0ED1F3265F126844345251BBB221AF0BE22204B7469AF5B4783129255AB04525743906A598E3582C0E
     Key-Arg   : None
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     Start Time: 1443959631
     Timeout   : 300 (sec)
     Verify return code: 0 (ok)
---
250 HELP

More information about the openssl-users mailing list