Can a site certificate issued from Verisign be used with Pound?

Michael St. Laurent wrote:[...]

Yes.  Certs are certs - they are not issuer-specific in any way.

Now, you might need intermediate certificates to establish the chain to 
something installed in the viewing computer, but that's a different 
issue (and generally a non-issue for Verisign).

Regards,[...]

The text I got from them is a bit different than what was created when I
used OpenSSL to generate my own.

Theirs starts with -----BEGIN CERTIFICATE----- and ends with -----END
CERTIFICATE-----.

The one I created with OpenSSL also has an RSA PRIVATE KEY section and a
DH PARAMETERS section.

I've tried using the Verisign cert as provided but pound will not start.
It reports a config error and terminates.

-----Original Message-----
From: Dave Steinberg [mailto:dave(at)redterror.net] 
Sent: Thursday, December 21, 2006 8:54 AM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Using Verisign site cert with pound

Michael St. Laurent wrote:[...]

Yes.  Certs are certs - they are not issuer-specific in any way.

Now, you might need intermediate certificates to establish the chain to 
something installed in the viewing computer, but that's a different 
issue (and generally a non-issue for Verisign).

Regards,[...]

Michael St. Laurent wrote:[...]

That's the actual cert.
[...]

That's a "pem format" cert.  It's exactly as you describe, key + dh 
params + cert.
[...]

You'll need to use the cert verisign gave you to build a pem-format cert 
for use with pound.  Just follow the structure of the one you generated 
yourself (you can literally copy / paste the relevent private key in 
place).  Google for 'pem format' and similar for more details.

Note that DH params aren't specific to your cert / key, they can be 
generated on their own (in fact, you're supposed to change them 
periodically).
[...]

We're using several certs for different sites all through the same pound
process from GoDaddy.  Work like a charm, were easy to setup, and a heck
of a lot less expensive than VeriSign.

I can't figure this out.  We took this same text and used it to create a
.cer file and it worked on the IIS server.  On the linux system I opened
VI and pasted the text into the window.  The line count matches and it
looks like everything went in.  I save that and try to verify it:

[root(at)guardian certs]# openssl verify verisign.cer
unable to load certificate
28362:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c
:946:
28362:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:t
asn_dec.c:304:Type=X509_CINF
28362:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested
asn1 error:
tasn_dec.c:566:Field=cert_info, Type=X509
28362:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
lib:pem_oth.c:82:
[root(at)guardian certs]#

-----Original Message-----
From: Dave Steinberg [mailto:dave(at)redterror.net] 
Sent: Thursday, December 21, 2006 10:38 AM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Using Verisign site cert with pound

Michael St. Laurent wrote:[...]
I[...]

That's the actual cert.
[...]
a[...]

That's a "pem format" cert.  It's exactly as you describe, key + dh 
params + cert.
[...]
start.[...]

You'll need to use the cert verisign gave you to build a pem-format cert

for use with pound.  Just follow the structure of the one you generated 
yourself (you can literally copy / paste the relevent private key in 
place).  Google for 'pem format' and similar for more details.

Note that DH params aren't specific to your cert / key, they can be 
generated on their own (in fact, you're supposed to change them 
periodically).
[...]

IIS/IE usually use DER format.

Try openssl x509 -inform DER -in verisign.cer -noout -text

And see if you get results

If you don't, try openssl x509 -inform PEM -in versign.cer -noout -text

You did include the --- BEGIN CERTIFICATE lines too, right?  They need to be
included.


You need a pem file that has the KEY and the CERT in it to work.  So something
like this:

pound.pem:
------BEGIN RSA PRIVATE KEY-----
(whole bunch of Base64 letters/numbers/symbols)
------END RSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
(whole bunch of Base64 letters/numbers/symbols)
------END CERTIFICATE-----


If you've done it right, openssl x509 -inform PEM -in pound.pem -noout -text
will return your certificate information.

Joseph Gooch
Sapphire Suite Product Manager
K12 Systems, Inc.
(866) 366-9540

[...]

Okay, I've requested a new certificate from GoDaddy hoping that I would be able
to manipulate it more easily as the cert request was issued by myself. 
However, when I generated the RSA key to issue the csr I used a key phrase on
it.  Will that interfere with creating the PEM file when the certificate info
arrives (should be in the next few minutes according to their representative)?

-----Original Message-----
From: Joe Gooch [mailto:mrwizard(at)k12system.com] 
Sent: Thursday, December 21, 2006 3:50 PM
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Using Verisign site cert with pound

IIS/IE usually use DER format.

Try openssl x509 -inform DER -in verisign.cer -noout -text

And see if you get results

If you don't, try openssl x509 -inform PEM -in versign.cer -noout -text

You did include the --- BEGIN CERTIFICATE lines too, right?  They need to be
included.


You need a pem file that has the KEY and the CERT in it to work.  So something
like this:

pound.pem:
------BEGIN RSA PRIVATE KEY-----
(whole bunch of Base64 letters/numbers/symbols)
------END RSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
(whole bunch of Base64 letters/numbers/symbols)
------END CERTIFICATE-----


If you've done it right, openssl x509 -inform PEM -in pound.pem -noout -text
will return your certificate information.

Joseph Gooch
Sapphire Suite Product Manager
K12 Systems, Inc.
(866) 366-9540

[...]
[...]

Ah, okay.  So I've got my cert and an intermediate cert to install as well.

-----Original Message-----
From: Michael St. Laurent [mailto:mikes(at)hartwellcorp.com] 
Sent: Friday, December 22, 2006 9:15 AM
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Using Verisign site cert with pound

Okay, I've requested a new certificate from GoDaddy hoping that I would be able
to manipulate it more easily as the cert request was issued by myself. 
However, when I generated the RSA key to issue the csr I used a key phrase on
it.  Will that interfere with creating the PEM file when the certificate info
arrives (should be in the next few minutes according to their representative)?

-----Original Message-----
From: Joe Gooch [mailto:mrwizard(at)k12system.com] 
Sent: Thursday, December 21, 2006 3:50 PM
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Using Verisign site cert with pound

IIS/IE usually use DER format.

Try openssl x509 -inform DER -in verisign.cer -noout -text

And see if you get results

If you don't, try openssl x509 -inform PEM -in versign.cer -noout -text

You did include the --- BEGIN CERTIFICATE lines too, right?  They need to be
included.


You need a pem file that has the KEY and the CERT in it to work.  So something
like this:

pound.pem:
------BEGIN RSA PRIVATE KEY-----
(whole bunch of Base64 letters/numbers/symbols)
------END RSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
(whole bunch of Base64 letters/numbers/symbols)
------END CERTIFICATE-----


If you've done it right, openssl x509 -inform PEM -in pound.pem -noout -text
will return your certificate information.

Joseph Gooch
Sapphire Suite Product Manager
K12 Systems, Inc.
(866) 366-9540

[...]
[...]