curl-users
Re: Private key problem
Date: Thu, 05 Dec 2002 15:58:52 +0100
Andrey S. Goncherov wrote:
> Hello Goetz Babin-Ebell.
Hello Andrey,
>>>>> ./curl --key ./private.key --cacert ./ca_new.txt -v --cert
>>>>> ./www_site_com.crt https://secure.authorize.net/gateway/transact.dll
>>>>>* About to connect() to secure.authorize.net:443
>>>>>* Connected to secure.authorize.net (206.253.210.201) port 443
>>>>>* unable to set private key file
>>>>>* Closing connection #0
>>>>>curl: (58) unable to set private key file
>>>
>>>GBE> Is in www_site_com.crt your certificate ?
>>> yes - it's 100% correct certificate from comodo.net or .org
>>>GBE> the key in --key must match the cert in --cert ...
>>> as private key we put private key generated by
>>> openssl req –new –nodes -keyout myserver.key –out server.csr
> GBE> what gives
> GBE> openssl x509 -text -noout -in www_site_com.crt
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 18:29:85:cd:98:3a:d1:a2:d1:c5:fa:2c:e2:8b:c9:a5
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=GB, O=Comodo Limited, OU=Comodo Trust Network, OU=Terms and Co
> nditions of use: http://www.comodo.net/repository, OU=(c)2002 Comodo Limited, CN
> =Comodo Class 3 Security Services CA
> Validity
> Not Before: Nov 7 00:00:00 2002 GMT
> Not After : Nov 7 23:59:59 2003 GMT
> Subject: C=US/2.5.4.17=16601, ST=PA, L=Altoona/2.5.4.9=Altoona/2.5.4.9=R
> D 5 Box 3764, O=Taoti, OU=Taoti Enterprises, Inc., OU=InstantSSL, CN=www.taoti.c
> om
[...]
> GBE> And try
> GBE> openssl s_client -connect secure.authorize.net:443 \
> GBE> -key ./private.key -cert ./www_site_com.crt -debug
> unable to get private key from './private.key'
> 6720:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:279:
Here is the answer:
the key does not match the certificate...
> GBE> But why give you a client key/cert ?
> GBE> the site requires no client authentication....
> If I try to connect without defination certificates and key
> using
> openssl s_client -connect secure.authorize.net:443 -debug
>
> it show
>
> ...
> ---
> Certificate chain
> 0 s:/C=US/ST=Utah/L=Provo/O=AUTHORIZE.NET CORPORATION/OU=DEVELOPMENT/OU=Terms of use at www.verisign.com/RPA (c)01/CN=SECURE.AUTHORIZE.NET
> i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
> ---
[...]
> subject=/C=US/ST=Utah/L=Provo/O=AUTHORIZE.NET CORPORATION/OU=DEVELOPMENT/OU=Terms of use at www.verisign.com/RPA (c)01/CN=SECURE.AUTHORIZE.NET
> issuer=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
> ---
> No client certificate CA names sent
Here: the server sent no list of trusted CA certificates for
client authorisation:
no client authorisation posssible...
[...]
> may be my private key is wrong? May be I generate not correct
> private.key? If so how to generate it correct?
try an
openssl req -new -newkey rsa:1024 -keyout mykey.pem -nodes -out myreq.pem
And now send the myreq.pem to your CA to get an new certificate.
Bye
Goetz
-- Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de Sonninstr. 24-28, 20097 Hamburg, Germany Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
- application/x-pkcs7-signature attachment: S/MIME Cryptographic Signature