- It actually was version 4.05 and below.
- Yes we did have the new certs online for awhile until Netscape said that downloading a new root stil wouldn't resolve the issue.
- We also took it off our site because Netscape said they would not support any version below 4.07?? at that time.
Ray
-----Original Message-----
From: Randy Lee [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 12, 2001 12:47 PM
To: [EMAIL PROTECTED]
Subject: Re: Verisign intermediate CA cert problem with Netscape.
wasn't it 4.74 where the root cert expired (Jan 1,2000) in the broswer?
if the user didn't update their root cert, they probably won't recognize
things. If I remember correctly, there used to be a place on the versign
site that allowed the user to update their root certs, but that
dissapeared for some reason just before Y2K hit.
rjl
Ray Erdmann wrote:
>
> If anyone out there is able to resolve the issue described below, I would be
> greatly moved.
> We get quite a few calls on this matter and really have nothing to supply to
> the customer...since all documentation states
> that Apache supports Global/SGC/Step Up certificates.
>
> Another issue that I think a few folks have touched on this list is the fact
> that MS IE 5 (International 40/56 bit) does not connect and/or crashes
> during the second SSL negotiation when a Global/SGC/Step Up certificate has
> been installed.
>
> Sincerely,
>
> Ray Erdmann
> Technical Support
> Verisign, Inc.
>
> -----Original Message-----
> From: Anselmi, David [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, January 11, 2001 11:12 AM
> To: Openssl List (E-mail); Mod_ssl List (E-mail)
> Subject: Verisign intermediate CA cert problem with Netscape.
>
> System: Solaris running Apache 1.3.14, mod_ssl 2.7.1, openssl 0.9.6 with
> Verisign global server id installed.
>
> Problem: Netscape Navigator 4.74 complains that it doesn't recognize the
> signer of the server cert.
>
> I've followed the directions in mod_ssl for the global server id, and
> checked the openssl and mod_ssl list archives, but I can't figure out how to
> get Netscape to accept the cert as valid. Can anyone suggest a fix, or tell
> me how to install the intermediate CA cert manually in Netscape (so it's
> there the first time a user connects to my server)?
>
> Details:
>
> I've installed server.crt (my Verisign global server id, created for Apache)
> where SSLCertificateFile points and ca.crt (the Verisign intermediate CA
> cert) where SSLCertificateChainFile points.
>
> Running make in my ssl.crt directory (to create the hash code links) gives
> me an error on the ca.crt file:
>
> unable to load certificate
> 1938:error:0906D06C:PEM routines:PEM_read_bio:no start
> line:pem_lib.c:662:Expecting: TRUSTED CERTIFICATE
>
> This doesn't seem to be the problem because Apache finds the file by name
> using SSLCertificateChainFile, and IE gets the intermediate cert correctly.
>
> In IE, I can see the certificate chain, root CA -> intermediate CA ->
> server, and everything validates correctly. So it seems that Apache is
> sending the intermediate cert, but NS ignores it.
>
> At the moment the server name and the server cert CN are different, due to a
> temporary DNS config. Both browsers report that, but Netscape reports the
> signature problem first.
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
smime.p7s