Gareth Jones wrote:
>
> I did order the certificate for Stronghold, since I guessed this was the
> closest thing to Apache + mod_ssl. The output from "openssl x509 ..." only
> mentions the extra Netscape flag, doesn't say anything about a Microsoft
> flag.
> X509v3 Extended Key Usage:
> Netscape Server Gated Crypto
> Am I looking in the wrong place? Should I be looking for something else?
>
> Is there any way around this problem? I don't fancy telling my boss we just
> paid $1600 for a certificate which will only be of use to ~30% (at most) of
> our clients :).
>
> Thanks for your help,
>
> Gareth.
>
I 'only' know of 4 situations where IE does not use SGC even if the server
presents such a cert.
1) The cert contains the MS-SGC flag in the extended key usage.
Use 'openssl x509 -text -noout -in <cert>' to check it
2) The intermediate cert is not installed / availabe for OpenSSL to send
to the client, which expects all three certs in the chain.
Use 'openssl s_client -connect <servername:port> to check if you get
all three certs from the server
3) Use don't use the correct hostname to connect to the server. If you get
any warning box (name mismatch) it does not work. IE makes the step up
only if the CN part of the cert matches the name you typed in in the URL
4) You use an IE prior to version 4
Matthias
-------------------------------------------------------------------------------
Matthias Loepfe, AdNovum Informatik AG, Roentgenstr. 22, CH-8005 Zurich
Email: [EMAIL PROTECTED] Voice: +41 1 272 6111 Fax: +41 1 272 6312
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
