I've been trying to get an SSL connection to an LDAPS server (Active Directory) to work, but keep having problems. I tried using this:
openssl s_client -connect the.server.edu:3269
With the following result:
verify error:num=20:unable to get local issuer certificate
I thought, OK, well server's an old production server a few years old. Maybe the CA isn't present. I then pulled the certificate from the output into a pem file and tried:
openssl s_client -CAfile mycert.pem -connect the.server.edu:3269
And that didn't work either.
What am I missing? Shouldn't that ALWAYS work?
Best Answer
So this is what I see as the CA cert name:
That was the name of the certificate that I had imported after I did the -showcerts in my second try above. I listed the certs in the keystore by doing this:
I see the CA certificate in there.
To make sure that openssl is using the keystore that I'm using with the server, I'm using the -CAfile argument:
Knowing that the java keystore for CA's has a password, I tried using the -pass pass:password option like this:
but that didn't work either.
What's funny about that is that the cacerts file has a password on it and openssl isn't complaining that it can't read the cacerts file. That seems fishy to me. Does that or anything else ring a bell?