"Ladd Angelius" <[EMAIL PROTECTED]> writes:
> Does anyone know about a workaround/fix for the below problem? We'd
> like to use a wildcard certificate ...
>
> I tested the "wildcard" test-certificate offered by www.thawte.com
>
> The test:
> I control the DNS, so I put a "*.gmoney.com" entry in my DNS file,
> and ping tested multiple names, ie. hello.mydomain.com,
> xxxx.mydomain.com, etc. Everything resolves to a specific IP, which
> is a box running Linux RedHat7 with preconfigured SSL and Apache
> (comes already set up with RH7).
I don't understand this bit. I didn't think "*" was a valid character
in host names, and that's jus tnot how wildcard certs work.
> I generated a CSR with the command "make certreq", submitted it to
> www.thawte.com, receieved a CRT, copied the CRT to the file
> /etc/httpd/conf/ssl.crt/server.crt, and restarted apache.
>
> Findings:
>
> All clients connecting over SSL recieve the "non-trusted authority"
> error (this is normal for a "test" certificate).
>
> Win2K IE5 clients report "hostname does not match the certificate."
> Win2K NS4.7 only reports "non-trusted authority." No mention of
> hostname match or not.
> Win98 NS4.7 only reports "non-trusted authority." No mention of
> hostname match or not.
>
> Any and all suggestions/fixes/workarounds will be greatly appreciated.
windows 2000 does not support wildcard. microsoft disaproves of them
or some such silliness. thawte mentions it here:
http://www.thawte.com/support/server/wildcards.html. I expect you
could find something on microsoft's web pages if you looked...
this may or may not affect netscape.
if it reports a non-trusted authority it implies it's ca cert file is
confused. did you check it?
seph
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
