Same thing happened to me. Then I configured a CA certificate file and
things went straight.
The idea is that when the SSL handshake takes place, the server asks for a
certificate which
he will consider valid. That is signed by a trusted CA.
The server sends what HE considers to be trusted CA's to the browser, and
the browser filters
the installed certificates, and shows only those signed by one of the
server trusted CA's.
IE5 seems a little stupid.. and if no certificate pass this condition he
just presents an empty dialog.
Just create a text file and drop there all your trusted CA's in PEM format,
(those that say -----BEGIN CERTIFICATE----- )
Just cat them all, one after another. You can even place comments in
betweem then as mod_ssl will just parse
from a -----BEGIN CERTIFICATE----- up to a -----END CERTIFICATE-----.
Then add the directive
SSLCACertificateFile certs/my_trusted_cas.crt
Obviously replacing 'certs/my_trusted_cas.crt' by the path and name of the
recently created file.
Now just try again.
mod_ssl distribution comes with a file named ca-bundle.crt containing the
certificates for what netscape considers trusted CA's.
You can use that one and add your ca-dff.crt in PEM format.
Try yourself by adding and removing that entry and you'll see that when the
browser ask you to select a certificate, the newly
created cert will appear or not depending on the presence of 'ca-dff.crt'
in that trusted CA's file of the server.
Hope that helps you.
Diego
At 12:51 19/3/2001 +0100, you wrote:
>Hm.. I configured modssl to require a client cert
>to access a site
>
> SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ )
> SSLVerifyClient require
> SSLVerifyDepth 5
>
>Then I tried to create a client cert...
>
> openssl req -new -nodes -keyout clientcert.key -out clientcert.csr
>
>Then our CA signed the CSR
>
> openssl x509 -req -in clientcert.csr -out clientcert.crt \
> -signkey ca-dff.key -CA ca-dff.crt -CAkey ca-dff.key \
> -CAcreateserial -days 14
>
>Our CA root cert is installed in the browser.
>I then dropped the clientcert.crt into the browser and installed it.
>
>When I now access the site IE5 opens a box and asks to choose the
>client cert. Unfortunately the box is empty!!
>I doesn't even show my Thawte Personal Cert!
>
>What am I doing wrong?
>--
>Torsten
>______________________________________________________________________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
Diego Tártara
[EMAIL PROTECTED]
------------------------------------------
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
