error 20 at 0 depth lookup:unable to get local issuer certificate
This particular error occurs due to the certificate is expired we need to renew the certificate by removing the old one and Create the new certificate and attached to the web server or wallet
Step 1
Check the certificate by verify command
[oracle@fahtestdb Fa_Ca]$ openssl verify <domainname>.com.pem
<domain_name>.com.pem: /CN=*.<domain_name>.com/OU=oic/O=oic_it/L=Dubai/ST=Dubai/C=AE
error 20 at 0 depth lookup:unable to get local issuer certificate
Step2
Check the certificate is valid or expired
[oracle@fahtestdb Fa_Ca]$ openssl x509 -noout -text -in <domain_name>.com.pem
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
d7:79:73:18:59:89:db:71
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AE, ST=Dubai, L=Dubai, O=<cmpany_name>, OU=< organization unit> , CN=RootCa/emailAddress=palaneandavar@gmail.com
Validity
Not Before: Aug 22 09:30:17 2012 GMT
Not After : Sep 21 09:30:17 2012 GMT
Subject: CN=*.<domain_name>.com, OU=oic, O=oic_it, L=Dubai, ST=Dubai, C=AE
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d0:cc:54:f9:aa:da:88:4e:22:4a:0d:c3:71:92:
96:57:b5:27:c0:13:a3:f6:ac:d2:16:fc:fd:68:49:
92:d8:59:0d:87:bc:27:d4:31:91:df:ac:b4:62:6d:
d8:37:cf:c4:e0:08:38:96:0a:eb:92:49:78:9e:41:
79:c5:74:fe:d4:a5:82:e3:a2:17:10:4e:c0:41:f5:
bf:99:0f:1a:ac:d9:e6:a9:ab:f2:0c:f2:78:25:ef:
08:a0:37:ba:51:64:53:ae:02:13:cd:a7:bb:3b:71:
ee:27:9c:c6:1e:77:a7:82:75:0e:2e:57:f4:d0:31:
9f:a3:67:51:e6:c1:27:0a:1f
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
95:93:db:b3:2f:f4:43:54:91:a2:9d:ec:e9:ff:7d:b5:2f:27:
8b:45:8c:1e:c7:88:ee:66:16:01:98:0e:09:3a:d4:6c:37:e8:
e6:97:48:6b:69:a0:47:ca:54:dc:40:45:db:00:93:b2:db:40:
85:cb:f3:4c:e3:e4:33:aa:8e:6e
The certificate will be showing the output as same as above and check the expired date from the out put.. if not after date is less than the current date then the certificate is expired we need to create the new certificate and replace it
Step 3
Creating new certificate
openssl x509 -req -in <domain_name>.req -CA fa_root_cert.pem -CAkey / fa_privkey.pem CAcreateserial -out *.<domain_name>.pem
req -in here we need to provide the request file which is generate for requesting the user certificate
-CA we need to provide the root ca certificate which is created[certificate authority to sign this user certificate]
-CAKey private key generated for this ertificate
-CAcreateserial -out the output file the user certificate
it you have Multiple sites under one domain then you can use the wildcard[*] in the certificate Creation which accepts all the sites under the same domain
Step 4
Remove the old certificate from the location and replace the newly created certificate
No comments:
Post a Comment