I've been given a certificate by the person who runs our Active Directory server so I can use LDAPS but I can't get it to work. When verifying with openssl:
openssl s_client -connect domain.com:636 -CAfile ~/filename.pem
I just get Verify return code: 20 (unable to get local issuer certificate) every time.
I'm wondering if the server is misconfigured because I have tried to get the certificate straight from the server like this (from Ubunutu 16.04 client):
openssl s_client -host domain.com -port 636 -prexit -showcerts
And I get the same error message even with that.
Whereas if I type:
openssl s_client -host google.com -port 443 -prexit -showcerts
I get Verify return code: 0 (ok)
I've tried copying certificates into /etc/ssl/certs. I've tried using -CApath and -CAfile to give various certificates to the server.
Really I'm asking if the error code 20 in response to an openssl with -showcerts means that the server really is misconfigured or if I'm just not doing it right, because I'd hate to spend more time on the client when it's the server that's misbehaving.
openssl x509 -noout -text -in filename.pem
returns (with some redactions):
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
xxxxxxxxxxxxxxxx
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=My organisation RootCA
Validity
Not Before: May 20 13:11:34 2016 GMT
Not After : May 20 13:21:34 2021 GMT
Subject: DC=org, DC=example, CN=My organisation Issuing CA
And then a load of stuff that all looks fine. That is the root certificate, is it not? It says RootCA on it, after all.
Oh yes, and if I feed that certificate in, with
openssl s_client -connect domain.com:636 -CAfile file.pem
I do get a different error message:
Verify return code: 2 (unable to get issuer certificate)
So this feels like I have one certificate but not the other.
I did get another one using nmap –ssl-cert but I don't seem to be able to get anything other than error code 20 with that.
Best Answer
I assume that you've received a file containing single root CA cert to validate the TLS server cert. Make sure it's ASCII-armored base64-encoded (aka PEM).
Normally a certificate authority would not use the root CA's key to directly sign a TLS server public key. For security reasons one uses an intermediate CA, also often called issuing CA, for that.
Now the TLS client has to verify the whole CA cert chain and it needs access to intermediate CA cert and root CA cert.
In case of a well-configured TLS server you only need the root CA cert in a local file because the server sends the intermediate CA cert during TLS connect. But some TLS servers are not well-configured.
You should see what's going on with
like you already did.
If you do not have the root CA cert then ask the person who gave the intermediate CA cert to you.
Or if you have a Windows workstation in this AD domain it's somewhat likely that you find the root CA cert in the trust store of your Windows installation.