On Wed, May 03, 2000 at 10:22:30AM -0700, Schaefer,Lorrayne J. wrote:
> I am working with Apache 1.3.12, Open SSL 0.9.3, and
> mod_SSL--2.6.3-1.3.12 . All software is installed on Solaris 2.8. I
> have Netscape CMS 4.1 installed as well. The Netscape CMS is our root
> CA and would like to have the Netscape CA issue our Apache Web Server
> and Netscape Communicator certificates.
>
Hmmm - your openssl version is a bit old - the current is up to 0.9.5a.
I don't think it'll fix your problem, but there is a few issues about
the random number generator in pre0.9.5 versions.
I know close to nothing about the Netscape Certificate server, but I'll
try to answer this on general knowledge.
> We were able to establish a one-way SSL channel only. The bad news here
>
> is that we could only establish this channel with Apache being the
> issuing authority. We could NOT get this to work with Netscape CA. We
> received the error message "Missing or malformed KeyGen, PKCS10 or CRMF
> request." This is the message we received when posting the cert request
>
> to our Netscape Root CA.
>
You're not making this very clear, but I'm guessing that what you're
talking about is that you can't get your NS CA server to accept certificate
requests generated by openssl?
Did you follow the instructions at
http://www.modssl.org/docs/2.6/ssl_faq.html#ToC28 ?
That should generate a well formed certificate request in pkcs10 format.
[SNIP]
> We decided to try to use the bootstrap server cert to see if we could at
>
> least do mutual authentication. We loaded the Netscape Root CA cert
> into
> Apache's trusted root database. We used tools provided with the server
> to verify that the root CA cert was properly installed. It was. After
Did you do a make in the /path/to/apache/conf/ssl.crt dir?
> restarting the server in mutual authentication mode, we then attempted
> to authenticate ourselves to the Web server and received the error
> messages "certificate signature failure, ASN1_verify:bad get asn1 object
>
> call, SSL3_GET
> _CLIENT_CERTIFICATE:no certificate returned." We know that the server
> properly queried the browser for a client cert as we configured the
> browser to prompt us each and every time a cert is required.
>
This usually means that the browser did not return a client certificate -
> So, we next added the subordinate CA cert (the issuer of our end entity
> cert) to the trusted root database. We received the same error
> messages.
>
> Next, we removed the root and subordinate CAs from our trusted root
> database. As expected, we received the error message indicating that it
>
> couldn't locate the issuer in its trusted root database. From this, we
> definitely know that it can locate the CA in its trusted root database.
> The problem is that we don't know why it's failing to validate the CA's
> cert.
>
> Any help would be greatly appreciated.
>
Do take the time to look through the example at:
http://www.modssl.org/docs/2.6/ssl_howto.html#ToC6 - is your setup any
different from that?
http://www.modssl.org/docs/2.6/ssl_faq.html also provides several ways
to check content of certificates and requests.
Setting SSLLogLevel to debug might also help you track the problem.
Also try :
openssl s_client connect localhost:443 -CAfile ca.crt -showcerts -debug \
-key client.key -cert client.crt
Where .crt's are in pem format. More info at
http://www.openssl.org/docs/apps/s_client.html
vh
Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
