Hello,
I've just installed modssl+apache on a machine; I'm using a certificate
signed by GlobalSign.
It works for Netscape and MSIE 5 : I can connect from Netscape and MS IE 5
without problems.
However, I did have to load the "primary server CA" and "server CA"
certificates of GlobalSign, in addition to the GlobalSign "root CA", into
the webbrowsers; simply the root CA was not enough to get rid of the
warnings you'd otherwise get (that it could not identify the party that
had signed the certificate).
I'm using the
SSLCertificateChainFile
directive to try to load those 3 GlobalSign certificates into the browser
now.
But for Microsoft IE 3, although I have installed the GlobalSign root CA,
and the primary server CA and the server CA of globalsign into MS IE (I
can see they are installed by checking the Security Options where you have
a list of "Locations" certificates), it keeps refusing to connect to our
site (which offers the certificate signed by Globalsign).
The error message is : it says the company that signed our certicate is
not known to it.
This is absurd since the GlobalSign certificates are listed in the
browser... (and enabled). It's a list with GlobalSign, Verisign etc.
I've also tried to load (our) DER encoded .crt file of our own site into
that browser, and it installed, but I still cannot connect.
Now all this would be no problem if there were a clear message, saying
that the user has to upgrade to MS IE 5.
My question is :
1) is there a way to make SSLCertificateChainFile work for MS IE 3
2) if not, is there a way for the _server_ to immediately refuse
connections of MS IE 3 and issue the user with a message to get a more
recent browser.
It would be nice if I could immediately redirect users of MS IE 3 to a
page that says that they have to upgrade.
Otherwise it's really "ugly" if the users have a message like "Cannot
verify the company that has signed the certificate" while it's just a MS
IE 3 problem (I think).
Thanks,
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
