0

I have a X.509 certificate mycert.pem and a private-key mykey.pem for it.

Furthermore the certificate has a root-certificate and a intermediate-certificate to build a complete chain.

I had to add both the root-cert root.pem and the interm-cert interm.pem to /etc/ssl/certs with the correkt hash-link to make openssl verify the certificate OK.

mycert.pem: OK

Now I try to use openssl s_client.

I get an error at the server-side because I have set -key and also -cert but not -CAfile.

openssl s_client -connect my.host.org:433 -cert mycert.pem -key mykey.pem

I am not sure about that. How can I create the file for -CAfile?

I tried to set -CApath /etc/ssl/certs instead of -CAfile, but did not help.

Improve this question

2 Answers 2

Reset to default
0

you should try to use the update-ca-trust utility it will read the content of /etc/pki/ca-trust/extracted and add the new Root CA & intermediate CA to /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt.

Improve this answer
2
  • I do not have that binary or that paths. My certs are in /etc/ssl/certs. Commented Apr 9, 2024 at 15:33
  • on CentOS it in ca-certificates package Commented Apr 9, 2024 at 15:52
0

Is your server sending the cert chain or just the leaf cert? Use the -showcerts option to see. If just the leaf cert is sent then it won't connect the cert that is sent to the root CA in /etc/ssl/certs because the intermediate isn't a root and isn't trusted.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.