Eu quero me conectar a um servidor usando um determinado certificado assinado (pela empresa que está executando o servidor)
RootCA.crt
e o CompanyCA.crt
Eu posso criar um armazenamento de chaves java a partir do certificado assinado e da minha chave. Se eu usar isso no SoapUI, posso conectar com êxito ao servidor enviando solicitações SOAP e obtendo respostas adequadas
Não consigo usar meu certificado e chave com openssl s_client -connect
. A resposta é um Verify return code: 20 (unable to get local issuer certificate)
Meu pedido:
openssl s_client -connect service.company.com:443 -cert myCert.crt -key myKey.key
-CAfile
-CAfile
c_rehash
especificando com -CApath
/usr/lib/ssl/certs/
e fazendo c_rehash
.pem
do meu certificado e arquivo de chave (de .p12
) e usando isso como -cert
openssl verify -CAfile RootCA.crt CompanyCA.crt
, o resultado é error 20 at 0 depth lookup:unable to get local issuer certificate
openssl verify -CAfile RootCA.crt myCert.crt
, o resultado é error 2 at 1 depth lookup:unable to get issuer certificate
openssl verify -CAfile RootCA.crt myCert.crt
, o resultado é error 2 at 1 depth lookup:unable to get issuer certificate
Eu sempre recebo (praticamente)
CONNECTED(00000003)
depth=1 C = DE, O = Company, CN = Company CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=DE/ST=City/L=City/O=Company/CN=service.company.com
i:/C=DE/O=Company/CN=Company CA
1 s:/C=DE/O=Company/CN=Company CA
i:/C=DE/O=Other Company/OU=INST/DSW/CN=Other Company Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
<SNIP>
-----END CERTIFICATE-----
subject=/C=DE/ST=City/L=City/O=Company/CN=service.company.com
issuer=/C=DE/O=Company/CN=Company CA
---
Acceptable client certificate CA names
/C=DE/O=Other Company/OU=INST/DSW/CN=Other Company Root CA
/C=DE/O=Company/CN=Company CA
---
SSL handshake has read 3926 bytes and written 2631 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: SessionId
Session-ID-ctx:
Master-Key: MasterKey
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
<SNIP>
Start Time: 1393503573
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)