problem:certificate from openssl to work with iplanet enterprise 5.5

[wen ding]

hi,

I try to use openssl to issue and manage certificates for internal usage.
I generated CA ROOT certificate with utility from openssl and issued server 
certificate signed by the CA ROOT. The server certificate and CA ROOT worked 
very well with iplanet fasttrack 4.1, a early version web server from sun. 
After that I tried to use it with iplanet enterprise 5.5, the server 
certificate can be installed sucessfully. But the CA ROOT certificate can be 
recognized by iplanet enterprise 5.5, but when I tried to add it, the system 
failed with the message:
Incorrect Usage:Invalid certificate
The server could not import one of the certificates.

I found all ROOT CA from commerical CA can cooperate well with iplanet 
enterprise and in version field of all certificates from commericial CA 'V3' 
indicates that X509 version 3. In all certificates issued from openssl, the 
version field is filled with 'V1'. There are also other differences, such as 
fields issuing organization key id and subject key id do not exist in 
certificates from openssl.

Besides the problem as stated above, the crl generated from openssl either 
can not work under iplanet enterprise and its version is also 'V1' while 
revocation list from commericial product is 'V3'.

As i am a newbie in using openssl, i welcome anyone provide me with any 
advice. Thanks in advance.

My email is [EMAIL PROTECTED]

Great thanks!

dingwen from China

_
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. 
http://join.msn.com/?page=features/virus
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: problem:certificate from openssl to work with iplanet enterprise 5.5

[Dr. Stephen Henson]

On Mon, Dec 09, 2002, wen ding wrote:

 hi,
 
 I try to use openssl to issue and manage certificates for internal usage.
 I generated CA ROOT certificate with utility from openssl and issued server 
 certificate signed by the CA ROOT. The server certificate and CA ROOT worked 
 very well with iplanet fasttrack 4.1, a early version web server from sun. 
 After that I tried to use it with iplanet enterprise 5.5, the server 
 certificate can be installed sucessfully. But the CA ROOT certificate can be 
 recognized by iplanet enterprise 5.5, but when I tried to add it, the system 
 failed with the message:
 Incorrect Usage:Invalid certificate
 The server could not import one of the certificates.
 
 I found all ROOT CA from commerical CA can cooperate well with iplanet 
 enterprise and in version field of all certificates from commericial CA 'V3' 
 indicates that X509 version 3. In all certificates issued from openssl, the 
 version field is filled with 'V1'. There are also other differences, such as 
 fields issuing organization key id and subject key id do not exist in 
 certificates from openssl.
 
 Besides the problem as stated above, the crl generated from openssl either 
 can not work under iplanet enterprise and its version is also 'V1' while 
 revocation list from commericial product is 'V3'.
 
 As i am a newbie in using openssl, i welcome anyone provide me with any 
 advice. Thanks in advance.
 
 My email is [EMAIL PROTECTED]
 
 Great thanks!
 
 dingwen from China
 

You haven't mentioned what technique you used to generate the certificates
with OpenSSL. If you'd used CA.pl (see manual page) it would create V3
certificates and include the extensions you mention.

OpenSSL by default creates V1 CRLs because some versions of Netscape chokes on
them. By adding extensions it can create a V2 CRL. Not sure what you mean by a
V3 CRL do you have an example you could post?

Steve.
--
Dr. Stephen Henson  [EMAIL PROTECTED]
OpenSSL Project http://www.openssl.org/~steve/
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]