0

I'm trying to communicate with some software at my company (that I did not write). We are able to set the server certificate, server key, and server CA certificate through configuration.

I generate the root certificate on the primary machine with:

openssl genrsa -out rootCA.key 2048

I self-sign the root certificate with:

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

I generate the client key the same as I do the root key, generate a CSR with:

openssl req -new -key device.key -out device.csr

I then sign the client key with the root certificate with:

openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -sha256

I'm communicating from Python OpenSSL to this application (running in Java). I set the key and certificate files in OpenSSL to the device keys, then set server-ca-cert and server-cert to the root certificate, and server-key to the root key. No matter what, I always get this error in Python:

OpenSSL.SSL.Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]

And this error in Java:

On handshake complete OpenSSL error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

I don't know if I'm doing something wrong, or if it's something with the software I'm not getting - and before I go bugging the CTO I'd like to know if I don't understand SSL/TLS. Am I missing some step? Should a server not use the root certificate as it's own certificate?

EDIT

To explain the setup more:

We typically deploy in a clustered environment.

The client application is running on two machines in a master/standby configuration, and the servers are all the machines in the cluster (including the two that are the master/standby network integration units). As part of our installation process, the master machine distributes root SSH keys to all machines in the cluster - so, through Ansible, I have full control over all of the machines. The two NIUs have an application that uses SOAP over TLS to control the software on all the machines in the cluster. We've historically used UDP, but we're making efforts to increase security.

bitmous
  • 420
  • 4
  • 6
  • 1
    You did not explain your setup very well. Who is server, who is client? Which side is using which certificates and keys as a) server certificate b) CA certificate c) client certificate (if client certificates are used)? – Klaus D. Apr 12 '17 at 23:22
  • Thanks - I edited the original post with more information on the setup. – bitmous Apr 13 '17 at 00:42
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. Also see [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306) – jww Apr 13 '17 at 11:34
  • Also see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) You will also need to place the self-signed certificate in the appropriate trust store. – jww Apr 13 '17 at 11:34

0 Answers0