Thanks for you help...
All works fine now.
I red the mod_ssl docs before installing and configuring my web server.
I'm making a study about a PKI solution with our own Certificate Sever
(Netscape CMS).
Users and Certificates will be published in a M$ Active Directory.
Final application will be implementing secure Email : Users must have a
login and a certificate for a connection on an Outlook Web Access Server.
So, this is what I did :
- Modify the conf/ssl.crt/ca-bundle.crt file by adding in it my Netscape
Certificate Server definitions.
- Modify the httpd.conf file
SSLCertificateChainFile /opt/www/conf/ssl.crt/server.crt
SSLCertificatePath /opt/www/conf/ssl.crt
SSLCACertificateFile /opt/www/conf/ssl.crt/ca-bundle.crt
Regards,
Ravi APPANAH
----- Original Message -----
From: "Owen Boyle" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, January 26, 2001 1:50 PM
Subject: Re: URGENT : SSL Handshake failed
> drt rappanah wrote:
> > The client has its certificate installed in the browser. He asked the
> > Netscape Certificate Server for a certificate and then installed it in
the
> > Browser.
> >
> > Sorry, I miss someting about the authentication chain.
> > The Apcahe server got a certifcate from the Netscape Certificate Server.
> > Does the server verify the client certificate by contacting the Netscape
> > Certificate Server ?
> > Does the client verify the sever certificate by contacting the Netscape
> > Certificate Server ?
>
> Verfication is done entirely in the server or client - they don't go
> scooting about the web looking for Certificate Authorities... Browsers
> usually have lots of CA certificates already installed (if you use
> netscape, click on the wee padlock on the toolbar and see what happens).
> Your browser will trust all websites using a certificate signed by a
> known CA.
>
> You want to do the converse of this - your server should verify clients
> who have Netscape certificates. So your server needs a CA certificate
> from Netscape.
>
> > You suggest me to configure the SSLCACertificatePath...
> > What does it mean ?
> > Should I import all the client certificates of the Netscape Certificate
> > Server in the directory conf/ssl.crt ?
>
> This is where you put the CA certificate - NB you do not need all the
> client certificates!
> Did you read http://www.modssl.org/docs/2.7/ssl_reference.html#ToC13?
>
> What you are trying to do is quite complicated and you should really
> make sure you understand how it all works before going live. Reading the
> documentation is meant to be the first step, not the last resort...
>
> Regards,
>
> Owen Boyle.
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
