Generating MS Cert Server CA Certificate in PEM Format

[Scott]

Hi,

I've inherited a project where X509 Client Certificates were generated by MS
Certificate Server. I now need to add an Apache server to the mix, and use
those certificates to authenticate against that Apache server (running on
W2K Server). To do so, I need to add the MS Cert Server CA certificate to
either SSLCACertificatePath or append it to SSLCACertificateFile
(...\ca-bundle.cert).

However, from the MS Cert Server UI, it appears that I can only download the
CA Cert in either DER encoded, base-64 encoded (both with .cer extensions),
or download the CA Certification path (.p7b extension).

Is there any way I can get the CA Certificate in PEM encoding so that I
won't get this error in Apache:

[Mon Aug 11 17:04:07 2003] [error] covalent_ssl: SSL handshake failed
(server proxy.vmware.acme.com:443, client 10.255.3.1) (CovalentSSL library
error follows)
[Mon Aug 11 17:04:07 2003] [error] CovalentSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATEeer did not return a certificate
[Hint: No CAs known to server for verification.]
[Mon Aug 11 17:04:25 2003] [error] covalent_ssl: Certificate Verification:
Error (20): unable to get local issuer certificate

Regards,
Scott

 

[Roy]

You can use the tool openssl (I have it as part of a product we bought but I
don't know where to find it).

With openssl you can transform DER, PKCS12, crl etc. to PEM format

good luck
roy

 

[Scott]

Thanks I was able to get OpenSSL here:
http://gnuwin32.sourceforge.net/packages/openssl.htm. I'll have to play
with it a bit to see if it will convert the MS Cert Server CA Certificate to
PEM format.

You can use the tool openssl (I have it as part of a product we bought but I
don't know where to find it).

With openssl you can transform DER, PKCS12, crl etc. to PEM format

good luck
roy

Hi,

I've inherited a project where X509 Client Certificates were generated

by

MS
Certificate Server. I now need to add an Apache server to the mix, and use
those certificates to authenticate against that Apache server (running on
W2K Server). To do so, I need to add the MS Cert Server CA certificate to
either SSLCACertificatePath or append it to SSLCACertificateFile
(...\ca-bundle.cert).

However, from the MS Cert Server UI, it appears that I can only download the
CA Cert in either DER encoded, base-64 encoded (both with .cer extensions),
or download the CA Certification path (.p7b extension).

Is there any way I can get the CA Certificate in PEM encoding so that I
won't get this error in Apache:

[Mon Aug 11 17:04:07 2003] [error] covalent_ssl: SSL handshake failed
(server proxy.vmware.acme.com:443, client 10.255.3.1) (CovalentSSL library
error follows)
[Mon Aug 11 17:04:07 2003] [error] CovalentSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATEeer did not return a certificate
[Hint: No CAs known to server for verification.]
[Mon Aug 11 17:04:25 2003] [error] covalent_ssl: Certificate Verification:
Error (20): unable to get local issuer certificate

Regards,
Scott

 

[Scott]

I may have spoken too soon. I can invoke OpenSSL on W2K, but what OpenSSL
command sequence do I give to convert the DER formatted certificate to PEM?

Thanks I was able to get OpenSSL here:
http://gnuwin32.sourceforge.net/packages/openssl.htm. I'll have to play
with it a bit to see if it will convert the MS Cert Server CA Certificate to
PEM format.

You can use the tool openssl (I have it as part of a product we bought

but

I
don't know where to find it).

With openssl you can transform DER, PKCS12, crl etc. to PEM format

good luck
roy


by and
use

certificate

to

either SSLCACertificatePath or append it to SSLCACertificateFile
(...\ca-bundle.cert).

However, from the MS Cert Server UI, it appears that I can only

download
the

CA Cert in either DER encoded, base-64 encoded (both with .cer extensions),
or download the CA Certification path (.p7b extension).

Is there any way I can get the CA Certificate in PEM encoding so that I
won't get this error in Apache:

[Mon Aug 11 17:04:07 2003] [error] covalent_ssl: SSL handshake failed
(server proxy.vmware.acme.com:443, client 10.255.3.1) (CovalentSSL library
error follows)
[Mon Aug 11 17:04:07 2003] [error] CovalentSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATEeer did not return a certificate
[Hint: No CAs known to server for verification.]
[Mon Aug 11 17:04:25 2003] [error] covalent_ssl: Certificate Verification:
Error (20): unable to get local issuer certificate

Regards,
Scott