At 09:45 AM 08/29/2000 -0500, you wrote:
Tammy,
Have you used the verify option in netscape to make sure it likes the
Globus and user certificates that you have imported? It might say
'Not certified for Email' for the user certificate, but the CA cert
should pass.
The Globus user certificate that I have installed in my Netscape Browser, says "Not certified for Email". Also the Globus CA certificate that I have installed in my Netscape Browser, passes o.k., it says "The certificate has been successfully verified".
Does the Globus user certificate have to have support for Email to pass Client Authentication with a SSL secured Web Server (such as Apache-modssl)? If so, I will have to have Argonne generate another Globus user certificate for me, with support for email. Do you know a slick way to modify user certificates to support email?
Otherwise, maybe there is something in the Apache-SSL httpd configuration that I have not come across yet. Believe me, I have tried a lot of configurations. Or maybe there needs to be a GLobus CA chained certificate installed in my Netscape Browser, of some kind. I know when I tried to use a Thawte test user certificate, it required that their Thawte Test Root CA be installed in my Netscape Browser. But I couldn't get it to work either, as the Thawte test user certificate uses a test name for the common name (CN), instead of the fully qualified host name of the web server.
I must have the CN equal the fully qualified host name of the Apache-SSL web server. In my case it must be bernie.grc.nasa.gov.
I was hoping the NAS folks would have their NAS CA activated with certificate key management system support and this process I am going through would possibly be more straight forward.
Pretty soon, I believe I have to have my management pay Verisign or Thawte the monies to purchase a user and server certificate. Only problem there is, the IPG world would like everyone to use IPG endorsed CAs.
-- Tammy
Von
On Sat, Aug 26, 2000 at 12:07:22AM -0400, Tammy M Blaser wrote:
> Has anyone got their Globus CA signed with a gatekeeper host certificate
> "server certificate" to operate a web site and authenticate with a Netscape
> Communicator client?
>
> I am using the apache 1.3.12 (w/mod_ssl) web server on Linux 2.2.16-3smp
> using Globus1.1.3 and OpenSSL 0.9.5a.
>
> I have spent many hours on this and I can't get the client authenticated, with
> SSLVerifyClient required
> SSLVerifyDepth 1 [or 2] neither work
>
> If I turn client authentication off,
> SSLVerifyClient none
> SSLVerifyDepth 0
> of course, it works fine, but I need to authenticate my clients.
>
> I did however learn, how to get the Globus CA installed into my Netscape
> Communicator browser as a trusted certificate. You have to add the MIME
> type "application/x-x509-ca-cert" to your Netscape preferences.
> See URL, step 3
> http://www.graphics.lcs.mit.edu/vrmlTracer/installCertificate.html
>
> I used the Globus CA certificate 42864e48.0 located in the
> /opt/globus1.1.3/share/certificates directory as the apache
> SSLCACertificateFile.
> I also tried pointing to the directory where all the CA are located with
> the apache SSLCACertificatePath directive.
>
> I used /opt/globus1.1.3/etc/globus-gatekeeper.cert as the apache
> SSLCertifcateFile, and
> /opt/globus1.1.3/etc/globus-gatekeeper.key as the apache SSLCertifcateKey.
>
> I used the globus-gatekeeper.cert as my user "Client" certificate and
> generated it as follows:
>
> openssl pkcs12 -export -in /opt/globus1.1.3/etc/globus-gatekeeper.cert
> -inkey /opt/globus1.1.3/etc/globus-gatekeeper.key -certfile
> /opt/globus/share/certificates/42864e48.0 -out netscape.bernie.cert.p12
> -name 'Bernie'
> Enter Export Password:
> Verifying password - Enter Export Password:
>
> I had to use the globus-gatekeeper.cert as my client cert as Netscape
> Communicator requires the common name CN to be the host name of the web
> server you are trying to access.
>
> APACHE LOGS THE FOLLOWING:
>
> OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did
> not return a certificate [Hint: No CAs known to server for verification?]
>
> NETSCAPE COMMUNICATOR POPS THE FOLLOWING WINDOW:
>
> No User Certificate
>
> ______________________________
>
> If I don't get anywhere on this soon, I will have to use a commercial CA to
> sign my Apache web server and client certificates.
>
> Any help would be much appreciated.
>
> -- Tammy
> ==================================================
> Tammy M. Blaser
> NASA John H. Glenn Research Center
> Flight Software Engineering Organization 7750
> Mail stop 86-11
> 216-433-2699 (office)
> 216-433-8269 (fax)
> [EMAIL PROTECTED]
> ==================================================
--
Von Welch[EMAIL PROTECTED]
Alliance Computational Environment and SecurityNCSA
==================================================
Tammy M. Blaser
NASA John H. Glenn Research Center
Flight Software Engineering Organization 7750
Mail stop 86-11
216-433-2699 (office)
216-433-8269 (fax)
[EMAIL PROTECTED]
==================================================
