If anyone out there is able to resolve the issue described below, I would be
greatly moved.
We get quite a few calls on this matter and really have nothing to supply to
the customer...since all documentation states
that Apache supports Global/SGC/Step Up certificates.
Another issue that I think a few folks have touched on this list is the fact
that MS IE 5 (International 40/56 bit) does not connect and/or crashes
during the second SSL negotiation when a Global/SGC/Step Up certificate has
been installed.
Sincerely,
Ray Erdmann
Technical Support
Verisign, Inc.
-----Original Message-----
From: Anselmi, David [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 11, 2001 11:12 AM
To: Openssl List (E-mail); Mod_ssl List (E-mail)
Subject: Verisign intermediate CA cert problem with Netscape.
System: Solaris running Apache 1.3.14, mod_ssl 2.7.1, openssl 0.9.6 with
Verisign global server id installed.
Problem: Netscape Navigator 4.74 complains that it doesn't recognize the
signer of the server cert.
I've followed the directions in mod_ssl for the global server id, and
checked the openssl and mod_ssl list archives, but I can't figure out how to
get Netscape to accept the cert as valid. Can anyone suggest a fix, or tell
me how to install the intermediate CA cert manually in Netscape (so it's
there the first time a user connects to my server)?
Details:
I've installed server.crt (my Verisign global server id, created for Apache)
where SSLCertificateFile points and ca.crt (the Verisign intermediate CA
cert) where SSLCertificateChainFile points.
Running make in my ssl.crt directory (to create the hash code links) gives
me an error on the ca.crt file:
unable to load certificate
1938:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:662:Expecting: TRUSTED CERTIFICATE
This doesn't seem to be the problem because Apache finds the file by name
using SSLCertificateChainFile, and IE gets the intermediate cert correctly.
In IE, I can see the certificate chain, root CA -> intermediate CA ->
server, and everything validates correctly. So it seems that Apache is
sending the intermediate cert, but NS ignores it.
At the moment the server name and the server cert CN are different, due to a
temporary DNS config. Both browsers report that, but Netscape reports the
signature problem first.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
