Openssl Error Unable To Get Local Issuer Certificate Getting Chain
Contents |
here for a quick overview of the site Help Center Detailed answers to any questions you openssl unable to get issuer certificate getting chain might have Meta Discuss the workings and policies of this site openssl pkcs12 chain About Us Learn more about Stack Overflow the company Business Learn more about hiring developers or comodo root certificate posting ads with us Stack Overflow Questions Jobs Documentation Tags Users Badges Ask Question x Dismiss Join the Stack Overflow Community Stack Overflow is a community of
Error 20 At 0 Depth Lookup:unable To Get Local Issuer Certificate
6.2 million programmers, just like you, helping each other. Join them; it only takes a minute: Sign up Unable to get local issuer certificate while processing chain up vote 1 down vote favorite I do have private key(my_ca.key) and public key(my_cert.crt) which is signed by DigiCert. Now I want to create RA(Registration Authority) and sign verify error:num=20:unable to get local issuer certificate it by my private key . Here is the way I tried to do that. But when I try to export private and public key as pkcs12 file I have been getting error like this unable to get local issuer certificate getting chain. No idea how to solve this. Here my_cert.crt is extended from DigiCert High Assurance CA-3 and that one extended from DigiCert High Assurance EV Root CA SSL_SUBJ="/C=LK/ST=Colombo/L=Colombo/O=Nope/OU=mobile/CN=My root" openssl genrsa -out ra.key 4096 openssl req -new -key ra.key -out ra.csr -subj "$SSL_SUBJ" openssl x509 -req -days 365 -in ra.csr -CA my_cert.pem -CAkey my_ca.pem - set_serial 76964474 -out ra.crt openssl rsa -in ra.key -text > ra_private.pem openssl x509 -in ra.crt -out ra_cert.pem openssl pkcs12 -export -out ca.p12 -inkey my_ca.pem -in my_cert.pem -name "cacert" -passout pass:password openssl pkcs12 -export -out ra.p12 -inkey ra_private.pem -in ra_cert.pem - chain -CAfile my_cert.pem -name "racert" -passout pass:password ssl openssl x509 pki pkcs#12 share|improve this question edited Mar 5 '15 at 20:50 jww 35.7k21112225
Support: http://stackoverflow.com/questions/28870572/unable-to-get-local-issuer-certificate-while-processing-chain Order Processing Email Form Technical Support Email Form Knowledge Center Search Tips Search About Us|Legal|Contact Us|Site Map|FreeSSL Certificates https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO17070 © RapidSSL. RapidSSL is a leading certificate authority, enabling secure socket layer (SSL) encryption trusted by over 99% of browsers and customers worldwide for web site security. We specialize in fast issuance of low cost and free SSL certificates and wildcard SSL certificates. RapidSSL Certificates, RapidSSL Wildcard Certificates and FreeSSL™ Certificates.
♦ Locked 4 messages Meurer, Jerry L. (EHQ) Reply | Threaded Open this post in threaded view ♦ ♦ | Report Content as Inappropriate http://openssl.6102.n7.nabble.com/Create-a-p12-file-with-a-Verisign-Certificate-and-an-Verisign-Intermediate-Certificate-td15113.html ♦ ♦ Create a p12 file with a Verisign Certificate and an Verisign Intermediate Certificate Create a p12 file with a Verisign Certificate and an Verisign Intermediate Certificate I'm getting an https://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/ error attempting to create a p12 file using OpenSSL. I can't seem to find anything that will lead me to a resolution. The error I'm getting is: "unable to get unable to local issuer certificate getting chain" My setup is on a Windows server using Tomcat, with Apache. Apache listening on 80, and redirects to 8080 where the application lives. What I did [hope this is not too detailed]: - 2 years ago we purchased and downloaded an SSL cert from Verisign and named it server.crt, - Downloaded the Intermediate cert (chain). - Created unable to get an additional single file with the Intermediate cert, then the SSL cert below that text (concatenated the files with the intermediate on top), saved it as separate file called cachain.crt. - Ran the command: openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name tomcat -Cafile cachain.crt -caname root -chain - This gave me the server.p12 file that is being used right now. This expires in 12 days :( Now: - I gave our midrange team (who have the account with Verisign) a copy of the server.key file from my web server (from last year), they created a cert.csr file, sent it to Verisign - Sent me back a zip file that contained a cert.arm file (not familiar with an ARM file, but the text within is the certificate) cert.csr, and the server.key file - I downloaded a new Intermediate CA (Managed PKI Standard SSL Intermediate CA.txt) and created a file called cachain.crt (concatenated the files with the intermediate on top and the certificate below). Issue: - I've been attempting to create a server.p12 file using my notes from last year. I
procedure described here. Read through the procedure, and then use the website listed at the end. And if you don't want your private key generated on a server you don't own, download my tool I created for Windows that doesn't require installation: CreateCertGUI. I also made a video showing the full procedure. Ever wanted to make your own public key certificate for digital signatures? There are many recipes and tools on the net, like this one. My howto uses OpenSSL, and gives you a cert with a nice chain to your root CA. First we generate a 4096-bit long RSA key for our root CA and store it in file ca.key: openssl genrsa -out ca.key 4096 Generating RSA private key, 4096 bit long modulus ...................................................................................++ ........................................................................++ e is 65537 (0x10001) If you want to password-protect this key, add option -des3. Next, we create our self-signed root CA certificate ca.crt; you'll need to provide an identity for your root CA: openssl req -new -x509 -days 1826 -key ca.key -out ca.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:BE State or Province Name (full name) [Berkshire]:Brussels Locality Name (eg, city) [Newbury]:Brussels Organization Name (eg, company) [My Company Ltd]:https://DidierStevens.com Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:Didier Stevens (https://DidierStevens.com) Email Address []:didier stevens Google mail The -x509 option is used for a self-signed certificate. 1826 days gives us a cert valid for 5 years. Next step: create our subordinate CA that will be used for the actual signing. First, generate the key: openssl genrsa -out ia.key 4096 Generating RSA private key, 4096 bit long modulus ....