0

I have a Windows Server 2012r2 acting as both a Certification Authority and an IIS https server. I have a linux client.

This command works just fine on my linux client and behaves in exactly the expected way, so I can believe that my client is essentially intact:

$ openssl s_client -connect google.com:443 -showcerts

I have exported the public CA certificate as CA.cer from my Windows Server and copied that to my linux client.

I have issued a self-signed certificate for IIS. The certificate has "Subject Name: CN=example.com, CN=*.example.com" and "Subject Alternative Name: IPV4=10.1.1.10, IPV4=10.1.1.11, IPV4=100.100.100.100". I have installed it properly, meaning is appears in the default website bindings for *:443.

I can't imagine how that could be any simpler, but I think I have done something wrong in just that little bit, as you will see in the example below:

On my linux client I run:

$ openssl s_client -showcerts -CAfile CA.cer -connect 10.1.1.11:443

As a result I see:

CONNECTED(00000005)
depth=0 CN = *.example.com, CN = example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.example.com, CN = example.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = *.example.com, CN = example.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=*.example.com/CN=example.com
   i:/DC=com/DC=example/CN=Positive Example, Inc.
-----BEGIN CERTIFICATE-----
:
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=*.example.com/CN=example.com
issuer=/DC=com/DC=example/CN=Positive Example, Inc.
---
No client certificate CA names sent
---
SSL handshake has read 2002 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: XXX...
    Session-ID-ctx: 
    Master-Key: XXX...
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1481129355
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

Does anybody have any thoughts on any of this procedure?

Thanks for the help.

Chris Miller
  • 1

0 Answers0