Re: OpenSSL and OCS and Windows 2003 CA
- From: BoNes <eoinmoon@xxxxxxxxx>
- Date: Wed, 14 Nov 2007 03:18:49 -0800
On 14 Nov, 09:27, "S. Pidgorny <MVP>" <slavi...@xxxxxxxxx> wrote:
I reckon everything may be okay with the certificate format, and the error
message is self-explanatory: a certificate for one FQDN is expected, for
another is presnted. Unfortunately you don't give enough information that
allows to tell what is the FQDN in question and its place in your
infrastructure.
I'd recommend using s_client (a part of OpenSSL suite) for SSL handshake
verification.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
*http://sl.mvps.org*http://msmvps.com/blogs/sp*
"BoNes" <eoinm...@xxxxxxxxx> wrote in message
news:1194954318.174198.118600@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I am trying to enable TLS connectivity between my application which
uses a 3rd party app which requires OpenSSL to Office Communicator
Server (OCS).
I suppose the applications on the platforms do not matter at this
stage- I have a CA on my Domain Controller and the OCS server uses
this when it applies its certificates when being configured.
So on my application/platform I issued a certificate from the same CA
(tried exporting, creating,etc,etc all methods) , converted the PFX to
PEM format for OpenSSL using the "openssl pkcs12 -in X:\dir\certA.pfx -
out X:\dir\certA.pem -nodes" to do this.
I apply this certificate to the machine with my application, it is
read in and loaded and added to the trusted CA via the 3rd party API's
fine.
When I try and enable TLS I get handshaking (Server/Client Hello sent)
but it then suddenly terminates. The error I am getting is on my
applications server and not the OCS machine. The logs (Wireshark /OCS
logger) tell me
"The peer certificate does not contain a matching FQDN"
I have tried all I know in creating these certificates but no joy same
error every time.
I have tried:
Exporting the actual certificate from OCS
A new certificate from the same CA
Reused the same certificate
Is the conversion incorrect perhaps, any ideas/suggestions would be
gratefully appreciated
Regards
Thanks for that, I will give it a go. Here is the certificate on the
peer (application server) maybe you will spot something in there that
I cannot.
Again many thanks for the advice. I have deleted sections because I am
unsure of how smart it is to post a certificate (even one I generated
for tests) online is.
Bag Attributes
1.3.6.1.4.1.311.17.2: <No Values>
localKeyID: 01 00 00 00
Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
friendlyName: <deleted by me>
Key Attributes
X509v3 Key Usage: 10
-----BEGIN RSA PRIVATE KEY-----
<deleted by me>
-----END RSA PRIVATE KEY-----
Bag Attributes
localKeyID: 01 00 00 00
friendlyName: sipserver14
subject=/C=IE/ST=Connaught/L=Galway/O=nortel/OU=sip/
CN=ServerX.ocstwo.com
issuer=/DC=com/DC=ocstwo/CN=ocstwo
-----BEGIN CERTIFICATE-----
<deleted by me>
-----END CERTIFICATE-----
.
- Follow-Ups:
- Re: OpenSSL and OCS and Windows 2003 CA
- From: BoNes
- Re: OpenSSL and OCS and Windows 2003 CA
- References:
- OpenSSL and OCS and Windows 2003 CA
- From: BoNes
- OpenSSL and OCS and Windows 2003 CA
- Prev by Date: RE: Event ID 566 Failure Audit Directory Service Access, unixUserPassw
- Next by Date: Re: OpenSSL and OCS and Windows 2003 CA
- Previous by thread: OpenSSL and OCS and Windows 2003 CA
- Next by thread: Re: OpenSSL and OCS and Windows 2003 CA
- Index(es):
Relevant Pages
|
