0

I am following the F5 KB article to test SSL client based cert auth using openssl s_client but it keeps failing with this error:

OpenSSL> s_client -connect auc.akmlab.local:443 -key "C:\HELPAG\akmlab files\certs\admin-c-auth-ca-cert2.key" -cert "C:\HELPAG\akmlab files\certs\admin-c-auth-ca-cert.crt"
unable to load certificate
8204:error:0909006C:PEM routines:get_name:no start line:crypto\pem\pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
error in s_client
OpenSSL>

I am trying to google for this but cannot find much info anyway related to SSL client auth.

I have imported this same user cert to my browser and this works fine.

The server is a f5 bigip device with the root certificate from the CA which has signed the user certificated.

allwynmasc
  • 393
  • 5
  • 18
  • This suggest that your file `admin-c-auth-ca-cert.crt` has not the expected format or content. It is expected to be a certificate in PEM format. Nothing is known what it really is. – Steffen Ullrich Feb 14 '19 at 14:07
  • I see, mine is in crt format. I will convert and try this. – allwynmasc Feb 14 '19 at 14:31
  • If browser(s) can read it as a cert (not a p12/pfx) and it isn't PEM it's probably DER; use `openssl x509 -inform der -in derfile -out pemfile` PS: the error message is slightly misleading. OpenSSL actually accepts two related but distinct PEM types, CERTIFICATE and TRUSTED CERTIFICATE, and the first is much more common, but the error message can only state one and it happens to be second. – dave_thompson_085 Feb 14 '19 at 14:55
  • both you guys are right, I just converted to pem and it works fine. So somebody post this as an answer for me to accept. – allwynmasc Feb 15 '19 at 12:47

0 Answers0