I am maintaining a PKI-enabled website (Apache 2.4.6/ OpenSSL 1.0.1e). When I
open a new browser (IE9 on Win7) and navigate to it, no problems. I select my
certificate and enter my PIN and everything is fine.
My issue is that if I am at another PKI-enabled site and then I go to my site,
I
Dr. Henson,
I installed the Apache 2.2.22/OpenSSL 1.0.1a bundle and then put OpenSSL 1.0.0i
on top of that.
That, in conjunction with adding the root cert to the store for those users
with 6-layer cert chains, did the trick! All the users can now access the site!
This is an area I'm not very
If this works in 1.0.1 but not 0.9.8 I'm guessing its the name constraints
extension that is the problem which isn't supported in OpenSSL 0.9.8.
One of the intermediate certs does have a name constraint...
It is most likely critical then which would trigger the rejection by OpenSSL
If this works in 1.0.1 but not 0.9.8 I'm guessing its the name constraints
extension that is the problem which isn't supported in OpenSSL 0.9.8.
One of the intermediate certs does have a name constraint...
Does the production site have any directories of trusted certificates or are
they all
: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dr. Stephen Henson
Sent: Thursday, May 03, 2012 19:01
To: openssl-users@openssl.org
Subject: Re: FAILED:unable to get local issuer certificate
On Thu, May 03, 2012, Tammany, Curtis wrote:
Well...
If by trusted
-us...@openssl.org]
On Behalf Of Dr. Stephen Henson
Sent: Thursday, May 03, 2012 19:01
To: openssl-users@openssl.org
Subject: Re: FAILED:unable to get local issuer certificate
On Thu, May 03, 2012, Tammany, Curtis wrote:
Well...
If by trusted store you mean my one cert file pointed
It sounds like some clients have the correct intermediate certificate(s)
installed and some do not.
They should select the certificate, click the view button and see if the
certificate path is complete (i.e. it says it is OK).
On systems (XP and some Win7) where the user can access the site
: Thursday, May 03, 2012 12:57
To: openssl-users@openssl.org
Subject: Re: FAILED:unable to get local issuer certificate
On Thu, May 03, 2012, Tammany, Curtis wrote:
It sounds like some clients have the correct intermediate certificate(s)
installed and some do not.
They should select
: Thursday, May 03, 2012 12:57
To: openssl-users@openssl.org
Subject: Re: FAILED:unable to get local issuer certificate
On Thu, May 03, 2012, Tammany, Curtis wrote:
It sounds like some clients have the correct intermediate certificate(s)
installed and some do not.
They should select
If the client certs require chain certs additional to (below
or beside) those in your file, and some clients are sending
those chain certs but other clients (e.g. Windows 7) are not,
that would cause the symptom without any cert(s) being actually
invalid. To test this, get the chain cert(s)
We have an Apache 2.2.22/OpenSSL 1.0.1 CAC-enabled website running on Windows
(XP for development and 2003 for production). We have been experiencing issues
with users with Windows 7 being able to connect lately. In an effort to
understand what is going on, we added %{SSL_PROTOCOL}x
Hello-
I am running Apache 2.2.22 with OpenSSL 1.0.1 on Windows (XP for dev and
server 2003 for production)
The site requires client (CAC) certificates.
I am getting FAILED:unable to get local issuer certificate errors in my
log file from Windows 7 clients. Digging suggested that I check the
I get OpenSSL to trust my DOD root certificate?
Curtis
-Original Message-
From: Bernhard Fröhlich [mailto:t...@convey.de]
Sent: Thursday, April 26, 2012 09:39
To: openssl-users@openssl.org; Tammany, Curtis
Subject: Re: How to trust a 'root' certificate
Am 26.04.2012 15:15, schrieb
, April 26, 2012 10:40
To: openssl-users@openssl.org
Cc: Tammany, Curtis; Bernhard Fröhlich
Subject: Re: How to trust a 'root' certificate
On 04/26/2012 03:58 PM, Tammany, Curtis wrote:
I don't see this as an Apache issue. The site has required client certs for
years now and Apache was configured
... Just put all the CA certificates into one file and remove the
SSLCACertificatePath
and just keep the
SSLCACertificateFile
All of the certs are in one file... with the root cert being the first one in
the file.
They all begin with -BEGIN CERTIFICATE-
and end with -END
They are not test certificates. No- I cannot send them.
Sorry.
Curtis
From: Sergio NNX [mailto:sfhac...@hotmail.com]
Sent: Thursday, April 26, 2012 14:07
To: Tammany, Curtis
Subject: RE: How to trust a 'root' certificate
Running openssl version -d returns OPENSSLDIR: c:/openssl-1.0.1/ssl.
Do
Hello-
I am running Apache 2.2.22 with OpenSSL 1.0.1 on Windows (XP for dev and
server 2003 for production)
I require client certificates.
I am getting FAILED:unable to get local issuer certificate errors in my
log file from Windows 7 clients. Digging suggested that I check the
intermediate
I had brought this issue up earlier (Windows 7/IE8 CAC enabled sites). With
SSL 3.0 only checked on IE8 (in windows 7), I could make a connection to my
site that had OpenSSL 1.0.0g. With both SSL 3.0 AND TLS 1.0 checked, I could
not make a connection. We rolled back versions of OpenSSL until we
...@openssl.org]
On Behalf Of Dr. Stephen Henson
Sent: Saturday, February 25, 2012 12:27
To: openssl-users@openssl.org
Subject: Re: Windows 7/IE8 CAC enabled sites
On Fri, Feb 24, 2012, Tammany, Curtis wrote:
Hello-
We have a Apache 2.2.22/ OpenSSL 1.0.0g/ PHP 5.3.10 CAC-enabled website
Hello-
We have a Apache 2.2.22/ OpenSSL 1.0.0g/ PHP 5.3.10 CAC-enabled website on a
government location. We have a few users with Windows 7/IE8 who used to be able
to access the site but were unable to after a Microsoft patch (KB2585542
http://support.microsoft.com/kb/2643584 )was pushed.
The
20 matches
Mail list logo