[openssl-users] SSL alert number 48

Jan Just Keijser janjust at nikhef.nl
Tue Dec 19 13:43:42 UTC 2017


On 12/12/17 11:06, wizard2010 at gmail.com wrote:
> Hi.
> Ok, I agree with you that the way I generate the certificates could 
> not be the right one, but now I change the way and the problem remains.
> Please check the way I'm creating the certificates. I create a ROOT-CA 
> entity and a INTERMEDIATE-CA that is responsible to generate the 
> CLIENT and SERVER certificates.
> This is the script [ https://pastebin.com/bw6j5AZz ] that I'm using to 
> create this small PKI example
you're changing the game as you go along -- now you want an intermediate 
CA all of a sudden ;)
Still, with the certs you've sent this time I can get it to work, with a 
minor code change: instead of using
I am using
   SSL_CTX_use_certificate_chain_file(ssl_server_ctx, SSL_SERVER_RSA_CERT)

then make sure that RSA_CA_CRT points to root-ca.crt and that 
SERVER_RSA_CRT points to server.pem, which contains the intermediate CA 
as a stacked cert; on the client side, use your stacked client.pem file 
as well. In that case I can connect to your server program using
   openssl s_client -connect -CAfile root-ca.crt -cert 
client.pem -key client.key



More information about the openssl-users mailing list