Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 7 Apr 2015 20:12:47 -0400
From:      el kalin <kalin@el.net>
To:        Dan Lukes <dan@obluda.cz>, freebsd-security@freebsd.org, freebsd-users@freebsd.org
Subject:   Re: openssl certificates
Message-ID:  <CAMJXoc=OMDP-Y96Lhebd-NfmUqzy_qFCpbskNG1ie0snGtm1=A@mail.gmail.com>
In-Reply-To: <55245C8B.3020303@obluda.cz>
References:  <CAMJXocmzU6be4PXpdn9pf%2BVdOdsXwYkSZHM-Q1iZC-Vah7%2B7Qw@mail.gmail.com> <5524525D.50500@obluda.cz> <CAMJXocn6UeL72EcyvOo%2BoHxN=-VNjQVowK=7zitgPC5pAW5sVg@mail.gmail.com> <55245C8B.3020303@obluda.cz>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Apr 7, 2015 at 6:39 PM, Dan Lukes <dan@obluda.cz> wrote:

> el kalin wrote:
> >>> also how to add a CA cert to ca_root_nss file?
>
> > ok. it's in pem. but for each cert my ca-root-nss.crt has a bunch of
> other
> > sections - like date, signature algorithm,etc - wheres the
> company-root-ca.crt
> > has only whats in-between the begin and end lines. does that matter?
>
> The certificate is located between BEGIN and END marker only. The rest
> is comment. In most cases the text dump of certificate is used as
> comment, but it's up to you.


thanks dan=E2=80=A6  i have added the certs to the ca-root-nss.crt. it stil=
l
doesn't help much in my case.

the problem really is that i can not get any https requests from a freebsd
10 box using a third party signed certificate with my private key and their
ca certs to work. mostly testing with wget on the command line (it's a
remote machine) like:

wget --verbose --no-cookies --certificate=3Dlocal.pem
--ca-certificate=3D/usr/local/share/ca-root-nss.crt "
https://domain.org/soapservice.asmx?WSDL"

this is for a soap call. and the local.pem is a conversion from a pkcs12
file. every time i do that i get:
HTTP request sent, awaiting response... 405 Method Not Allowed

does that mean that the web server actually verified the certificate and
the problem is coming from the soap server application?

i am able to make a successful requests to retrieve the wsdl using firefox
after importing the signed certificate=E2=80=A6

also when i test the certificates agains the server with:

openssl s_client -cert local.pem -connect domain.org:443 -CAfile
/usr/local/share/ca-root-nss.crt -debug

i get to:

    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

and then it just hangs, nothing happens - there is no a prompt back=E2=80=
=A6

any help at this point will be appreciated=E2=80=A6.

thanks...

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMJXoc=OMDP-Y96Lhebd-NfmUqzy_qFCpbskNG1ie0snGtm1=A>