wasn't it 4.74 where the root cert expired (Jan 1,2000) in the broswer?
if the user didn't update their root cert, they probably won't recognize
things. If I remember correctly, there used to be a place on the versign
site that allowed the user to update their root certs, but that
dissapeared for some reason just before Y2K hit.
rjl
Ray Erdmann wrote:
>
> If anyone out there is able to resolve the issue described below, I would be
> greatly moved.
> We get quite a few calls on this matter and really have nothing to supply to
> the customer...since all documentation states
> that Apache supports Global/SGC/Step Up certificates.
>
> Another issue that I think a few folks have touched on this list is the fact
> that MS IE 5 (International 40/56 bit) does not connect and/or crashes
> during the second SSL negotiation when a Global/SGC/Step Up certificate has
> been installed.
>
> Sincerely,
>
> Ray Erdmann
> Technical Support
> Verisign, Inc.
>
> -----Original Message-----
> From: Anselmi, David [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, January 11, 2001 11:12 AM
> To: Openssl List (E-mail); Mod_ssl List (E-mail)
> Subject: Verisign intermediate CA cert problem with Netscape.
>
> System: Solaris running Apache 1.3.14, mod_ssl 2.7.1, openssl 0.9.6 with
> Verisign global server id installed.
>
> Problem: Netscape Navigator 4.74 complains that it doesn't recognize the
> signer of the server cert.
>
> I've followed the directions in mod_ssl for the global server id, and
> checked the openssl and mod_ssl list archives, but I can't figure out how to
> get Netscape to accept the cert as valid. Can anyone suggest a fix, or tell
> me how to install the intermediate CA cert manually in Netscape (so it's
> there the first time a user connects to my server)?
>
> Details:
>
> I've installed server.crt (my Verisign global server id, created for Apache)
> where SSLCertificateFile points and ca.crt (the Verisign intermediate CA
> cert) where SSLCertificateChainFile points.
>
> Running make in my ssl.crt directory (to create the hash code links) gives
> me an error on the ca.crt file:
>
> unable to load certificate
> 1938:error:0906D06C:PEM routines:PEM_read_bio:no start
> line:pem_lib.c:662:Expecting: TRUSTED CERTIFICATE
>
> This doesn't seem to be the problem because Apache finds the file by name
> using SSLCertificateChainFile, and IE gets the intermediate cert correctly.
>
> In IE, I can see the certificate chain, root CA -> intermediate CA ->
> server, and everything validates correctly. So it seems that Apache is
> sending the intermediate cert, but NS ignores it.
>
> At the moment the server name and the server cert CN are different, due to a
> temporary DNS config. Both browsers report that, but Netscape reports the
> signature problem first.
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
begin:vcard
n:Lee;Randy
tel;fax:(715) 949-1933
tel;work:(715) 949-1933
x-mozilla-html:FALSE
url:http://www.CommunicatorToGo.com
org:OneDisc.com
adr:;;4886 Hwy 61 N;St. Paul;MN;55110;USA
version:2.1
email;internet:[EMAIL PROTECTED]
x-mozilla-cpt:;-29856
fn:Randy Lee
end:vcard
S/MIME Cryptographic Signature
