Hi, I'm trying to install a GlobalID into the c2 Stronghold server
which is pretty similar to modssl (I have to use Stronghold because
it's for a commercial server in the US). I'm having a lot of trouble
and found some messages about GlobalID's in the sw-mod-ssl archives
so I thought I'd ask for advice here. The problem is that the GSID
is delivered as two separate certificates that need to be chained.
There is the GSID itself and an intermediate cert that signs it.
Simply dropping the intermediate cert into the directory pointed
to by SSLCACertificatesPath doesn't seem to help. The browser acts
like it's just received a the GSID itself which it treats as a valid
cert signed by an unknown issuer, so I don't get the 128 bit step-up.
Connecting with ssleay's s_client shows a 1-deep cert chain: the GSID
and the intermediate cert. Only one certificate seems to be
displayed. Connecting to another machine presenting a GSID from
Netscape Proxy Server gives a 2-deep chain: the GSID, the intermediate
cert, and the Verisign Class 3 Public Primary CA. Again, it only
shows one PEM cert, but it's about twice as long as the one that I get
from Stronghold.
Anyway I'm wondering, has anyone here gotten a real Verisign GlobalID
(not a non-chained selfsigned one with a patched cert7.db file)
to work with modssl? What did you do to install the intermediate cert?
Is there some tool that combines the certs in a chain into one PEM file?
Has the GSID been observed to work (i.e. to give 128 bit crypto and
not cause disconnects) in both Netscape and MSIE browsers?
Thanks very much for any advice.
Paul
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
