[gnutls-help] Issue using certtool

Patrick.Ouellet at promutuel.ca Patrick.Ouellet at promutuel.ca
Mon Nov 28 14:19:52 CET 2016 

I know this is quite an easy question for veteran of GNU TLS
But im really used to openssl and a week ago I didn’t know there was an alternative to openssl

So Im trying to build a ldap proxy using openldap the proxy works fine until I try to had TLS to it.

The only error I could gather is this one.

main: TLS init def ctx failed: -1

That’s when I realized Ubuntu compile openldap with gnutls not with openssl, so I wanted to verify my certificate
to be sure gnutls can read and understand them.

I just need help verifying my certificate using certool.

I have been able to verify my CA cert

At first it didn’t work

certtool -e --infile certificate_chain.cer.pem
Loaded 2 certificates, 1 CAs and 0 CRLs

        Subject: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Root CA
        Issuer: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Root CA
        Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown.

Chain verification output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown.

Then I read somewhere, don’t ask me where, that gnutls need the certificate in the reverse order than openssl, so
I inverted the certificate order in the certificate_chain.cer.pem and it worked

certtool -e --infile certificate_chain.cer.pem.gnutls
Loaded 2 certificates, 1 CAs and 0 CRLs

        Subject: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Intermediate CA 1
        Issuer: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Root CA
        Checked against: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Root CA
        Output: Verified. The certificate is trusted.

Chain verification output: Verified. The certificate is trusted.

But when I try to verify my server certificate, no matter what I do I was unable to get a “Output: Verified. The certificate is trusted.”

certtool -e --infile p01ldp5001.cer.pem --load-ca-certificate=certificate_chain.cer.pem.gnutls
|<1>| There was a non-CA certificate in the trusted list: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=p01ldp5001.services.local.
Loaded 1 certificates, 1 CAs and 0 CRLs

        Subject: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=p01ldp5001.services.local
        Issuer: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Intermediate CA 1
        Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown.

        Subject: C=CA,ST=Quebec,L=Quebec,O=Promutuel CES,OU=Operations,CN=p01ldp5001.services.local
        Issuer: C=CA,ST=Quebec,O=Promutuel CES,OU=Operations,CN=Promutuel HWS Intermediate CA 1
        Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown.

Chain verification output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown.

Can somone help me with that?
Is it my files that are not correct?
Am I using some parameter wrong?


Patrick Ouellet
[ligne]
Administrateur Linux
Operation
VPSI
[promutuel-assurance]
Groupe Promutuel
2000, boulevard Lebourgneuf, 4e étage, Québec (Québec)  G2K 0B6
[tel]  418 840-1188, poste 2393  /  1 800 510-4630
[telec]  418 840-9900
promutuelassurance.ca<https://www.promutuelassurance.ca/>


Si vous devez imprimer ce document, faites-le recto verso. Si vous n'êtes pas le destinataire de ce message, veuillez le détruire après avoir informé l'expéditeur de son erreur. Par ailleurs, il est interdit de copier ou de modifier tout courriel sans l'autorisation de l'auteur. Promutuel Assurance n'assume aucune responsabilité à l'égard du contenu des messages personnels envoyés par ses employés.

If you need to print this document, please print it double-sided. If you are not the intended recipient of this message, please notify the sender of the error and destroy the message. Please further note that it is prohibited to copy or modify any email without the author’s permission. Promutuel Insurance accepts no liability whatsoever with regard to the content of personal messages sent by its employees.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161128/9a5e2a2e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 1164 bytes
Desc: image001.gif
URL: </pipermail/attachments/20161128/9a5e2a2e/attachment-0004.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.gif
Type: image/gif
Size: 3443 bytes
Desc: image002.gif
URL: </pipermail/attachments/20161128/9a5e2a2e/attachment-0005.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.gif
Type: image/gif
Size: 1366 bytes
Desc: image003.gif
URL: </pipermail/attachments/20161128/9a5e2a2e/attachment-0006.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.gif
Type: image/gif
Size: 1364 bytes
Desc: image004.gif
URL: </pipermail/attachments/20161128/9a5e2a2e/attachment-0007.gif>

More information about the Gnutls-help mailing list