[openssl-users] SSL alert number 48
Jan Just Keijser
janjust at nikhef.nl
Tue Dec 19 13:43:42 UTC 2017
Hi,
On 12/12/17 11:06, wizard2010 at gmail.com wrote:
> Hi.
>
> Ok, I agree with you that the way I generate the certificates could
> not be the right one, but now I change the way and the problem remains.
> Please check the way I'm creating the certificates. I create a ROOT-CA
> entity and a INTERMEDIATE-CA that is responsible to generate the
> CLIENT and SERVER certificates.
> This is the script [ https://pastebin.com/bw6j5AZz ] that I'm using to
> create this small PKI example
>
you're changing the game as you go along -- now you want an intermediate
CA all of a sudden ;)
Still, with the certs you've sent this time I can get it to work, with a
minor code change: instead of using
SSL_CTX_use_certificate_chain_file(...)
I am using
SSL_CTX_use_certificate_chain_file(ssl_server_ctx, SSL_SERVER_RSA_CERT)
then make sure that RSA_CA_CRT points to root-ca.crt and that
SERVER_RSA_CRT points to server.pem, which contains the intermediate CA
as a stacked cert; on the client side, use your stacked client.pem file
as well. In that case I can connect to your server program using
openssl s_client -connect 127.0.0.1:4444 -CAfile root-ca.crt -cert
client.pem -key client.key
HTH,
JJK
More information about the openssl-users
mailing list