CentOS - Jun 2006 - SSL fingerpring mismatch and issuer certificate problem

I have a remote server running centos 4.3 and a home desktop running
suse 10.1. I have generated an SSL certificate on the server, copied
it on the desktop and run on the desktop:
>openssl x509 -in mynewcertCert.pem  -fingerprint -subject -issuer -serial
-hash -noout
>c_rehash .
getting this warning:
> 
> Doing .
> WARNING: mynewcertPrivateKey.pem does not contain a certificate or CRL:
skipping
> mynewcertCert.pem => 2764d17c.0
Now I have noted two things:

1) the fingerprint generated from the openssl command above is
   different when I run it on centos or on suse 10.1. Why?

2) if I run fetchmail here with these options:

I get:

fetchmail: 6.3.2 querying my.remote.server (protocol POP3) at Tue 13 Jun 2006
07:22:34 PM CEST: poll started
fetchmail: Issuer Organization: The M Zone
fetchmail: Issuer CommonName: my.remote.server
fetchmail: Server CommonName: my.remote.server
fetchmail: my.remote.server key fingerprint: the one obtained running openssl on
the server
fetchmail: my.remote.server fingerprints match.
fetchmail: Server certificate verification error: unable to get local issuer
certificate
26227:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed:s3_clnt.c:894:
fetchmail: SSL connection failed.
fetchmail: socket error while fetching from m-mail at fm.vm.bytemark.co.uk

What is the "local issuer" problem? What am I missing? Is it a
consequence of problem 1) ? What is happening, and what must I do to
use this certificate?

TIA,
	Marco

-- 
Marco Fioretti                    mfioretti, at the server mclink.it
Fedora Core 3 for low memory      http://www.rule-project.org/

I don't even have an email address. I have reached an age where my
main purpose is not to receive messages.
                                    U. Eco, quoted in the New Yorker

On Tue, Jun 13, 2006 19:28:58 PM +0200, io (mfioretti at mclink.it)
wrote:
> I have a remote server running centos 4.3 and a home desktop running
> suse 10.1. I have generated an SSL certificate on the server, copied
> it on the desktop and run on the desktop:
After a lot of googling, I have found that:

openssl -verify -issuer_checks returns:

error 30 at 0 depth lookup:authority and subject key identifier mismatch

which, in turn, seems to be caused by screwed settings of
subjectKeyIdentifier and authorityKeyIdentifier in openssl.conf. But I
have not changed them from the default:

######################################################################
marco at polaris:~/geecheck/usr/share/ssl> grep -i keyidentifier openssl.cnf
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
authorityKeyIdentifier=keyid:always,issuer:always
marco at polaris:~/geecheck/usr/share/ssl>
########################################################################

should I change them? If yes, to which values? The ones suggested at
http://middleware.internet2.edu/hepki-tag/pki-lite/hepki-tag-pkilite-root-profile-current.html,
for example: are in contrast with them. I will try those settings
tomorrow, but I would really like to hear your opinion, before trying
all possible combinations of values...

TIA,
	marco

-- 
Marco Fioretti                    mfioretti, at the server mclink.it
Fedora Core 3 for low memory      http://www.rule-project.org/

Excuse me for being greedy, but I want freedom and good government.
Both a flourishing economy and a well-cared-for earth. A society that
is diverse and communal.. that offers both privacy and accountability.
One that can afford a big conscience, along with lots of neat toys.
                             -- David Brin -- The Transparent Society