Generating MS Cert Server CA Certificate in PEM Format

  • Thread starter Thread starter Scott
  • Start date Start date
S

Scott

Hi,

I've inherited a project where X509 Client Certificates were generated by MS
Certificate Server. I now need to add an Apache server to the mix, and use
those certificates to authenticate against that Apache server (running on
W2K Server). To do so, I need to add the MS Cert Server CA certificate to
either SSLCACertificatePath or append it to SSLCACertificateFile
(...\ca-bundle.cert).

However, from the MS Cert Server UI, it appears that I can only download the
CA Cert in either DER encoded, base-64 encoded (both with .cer extensions),
or download the CA Certification path (.p7b extension).

Is there any way I can get the CA Certificate in PEM encoding so that I
won't get this error in Apache:

[Mon Aug 11 17:04:07 2003] [error] covalent_ssl: SSL handshake failed
(server proxy.vmware.acme.com:443, client 10.255.3.1) (CovalentSSL library
error follows)
[Mon Aug 11 17:04:07 2003] [error] CovalentSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
[Hint: No CAs known to server for verification.]
[Mon Aug 11 17:04:25 2003] [error] covalent_ssl: Certificate Verification:
Error (20): unable to get local issuer certificate

Regards,
Scott
 
You can use the tool openssl (I have it as part of a product we bought but I
don't know where to find it).

With openssl you can transform DER, PKCS12, crl etc. to PEM format

good luck
roy
 
Thanks I was able to get OpenSSL here:
http://gnuwin32.sourceforge.net/packages/openssl.htm. I'll have to play
with it a bit to see if it will convert the MS Cert Server CA Certificate to
PEM format.

Roy said:
You can use the tool openssl (I have it as part of a product we bought but I
don't know where to find it).

With openssl you can transform DER, PKCS12, crl etc. to PEM format

good luck
roy


Scott said:
Hi,

I've inherited a project where X509 Client Certificates were generated
by
MS
Certificate Server. I now need to add an Apache server to the mix, and use
those certificates to authenticate against that Apache server (running on
W2K Server). To do so, I need to add the MS Cert Server CA certificate to
either SSLCACertificatePath or append it to SSLCACertificateFile
(...\ca-bundle.cert).

However, from the MS Cert Server UI, it appears that I can only download the
CA Cert in either DER encoded, base-64 encoded (both with .cer extensions),
or download the CA Certification path (.p7b extension).

Is there any way I can get the CA Certificate in PEM encoding so that I
won't get this error in Apache:

[Mon Aug 11 17:04:07 2003] [error] covalent_ssl: SSL handshake failed
(server proxy.vmware.acme.com:443, client 10.255.3.1) (CovalentSSL library
error follows)
[Mon Aug 11 17:04:07 2003] [error] CovalentSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
[Hint: No CAs known to server for verification.]
[Mon Aug 11 17:04:25 2003] [error] covalent_ssl: Certificate Verification:
Error (20): unable to get local issuer certificate

Regards,
Scott
 
I may have spoken too soon. I can invoke OpenSSL on W2K, but what OpenSSL
command sequence do I give to convert the DER formatted certificate to PEM?

Scott said:
Thanks I was able to get OpenSSL here:
http://gnuwin32.sourceforge.net/packages/openssl.htm. I'll have to play
with it a bit to see if it will convert the MS Cert Server CA Certificate to
PEM format.

Roy said:
You can use the tool openssl (I have it as part of a product we bought
but
I
don't know where to find it).

With openssl you can transform DER, PKCS12, crl etc. to PEM format

good luck
roy


by and
use
certificate
to
either SSLCACertificatePath or append it to SSLCACertificateFile
(...\ca-bundle.cert).

However, from the MS Cert Server UI, it appears that I can only
download
the
CA Cert in either DER encoded, base-64 encoded (both with .cer extensions),
or download the CA Certification path (.p7b extension).

Is there any way I can get the CA Certificate in PEM encoding so that I
won't get this error in Apache:

[Mon Aug 11 17:04:07 2003] [error] covalent_ssl: SSL handshake failed
(server proxy.vmware.acme.com:443, client 10.255.3.1) (CovalentSSL library
error follows)
[Mon Aug 11 17:04:07 2003] [error] CovalentSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
[Hint: No CAs known to server for verification.]
[Mon Aug 11 17:04:25 2003] [error] covalent_ssl: Certificate Verification:
Error (20): unable to get local issuer certificate

Regards,
Scott
 
Back
Top