As I told you, the things between -----BEGIN CERTIFICATE----- up to a
-----END CERTIFICATE-----
(including those tags) are the PEM encoded certificates. Everithing else is
considered a comment.
Actually you can create those comments with the help of openssl
(http://www.openssl.org):
openssl x509 -in mycert.crt -noout -text
Or
openssl x509 -in mycert.crt -inform DER -noout -text
if your certificate is in DER format
To convert a certificate from DER to PEM (native to mod_ssl) just do
openssl x509 -in mydercert.crt -inform DER -out mypemcert
and voila
To just trust one CA, use the directive
SSLCACertificateFile ca-dff.crt
ENSURE your certificate is in PEM format (has -----BEGIN CERTIFICATE-----).
If you later want to trust another CA, just cat the new cert to ca-dff.crt,
always in PEM format.
Once again, between -----END CERTIFICATE----- and the next -----BEGIN
CERTIFICATE-----
is all comment to mod_ssl, so dont worry about the missing info.
Good luck
Diego
At 15:28 19/3/2001 +0100, you wrote:
>Ah! With the ca-bundle.crt now at least my thawte cert works...
>
>But since I want only OUR CA to be trusted I need just the
>ca-dff.crt instead of the ca-bundle.crt.
>
>But looking at the file I see very big differences
>in the file format.
>
>For each CA there is much more information besides the
>PEM data (which is the only thing in my ca-dff.crt).
>It's pretty verbose including the fingerprint as well
>as some plain text infos about the cert.
>
>Maybe it is sorted out because these infos are missing?
>
>I wonder how I can create such a format for my CA cert.
>Do you have an idea?
>
>Thanks
>--
>Torsten
>
> > Same thing happened to me. Then I configured a CA certificate file and
> > things went straight.
> > The idea is that when the SSL handshake takes place, the server asks for a
> > certificate which
> > he will consider valid. That is signed by a trusted CA.
> > The server sends what HE considers to be trusted CA's to the browser, and
> > the browser filters
> > the installed certificates, and shows only those signed by one of the
> > server trusted CA's.
> > IE5 seems a little stupid.. and if no certificate pass this condition he
> > just presents an empty dialog.
> > Just create a text file and drop there all your trusted CA's in PEM
> format,
> > (those that say -----BEGIN CERTIFICATE----- )
> > Just cat them all, one after another. You can even place comments in
> > betweem then as mod_ssl will just parse
> > from a -----BEGIN CERTIFICATE----- up to a -----END CERTIFICATE-----.
> > Then add the directive
> > SSLCACertificateFile certs/my_trusted_cas.crt
> >
> > Obviously replacing 'certs/my_trusted_cas.crt' by the path and name of the
> > recently created file.
> >
> > Now just try again.
> > mod_ssl distribution comes with a file named ca-bundle.crt containing the
> > certificates for what netscape considers trusted CA's.
> > You can use that one and add your ca-dff.crt in PEM format.
> > Try yourself by adding and removing that entry and you'll see that when
> the
> > browser ask you to select a certificate, the newly
> > created cert will appear or not depending on the presence of 'ca-dff.crt'
> > in that trusted CA's file of the server.
> > Hope that helps you.
>
>______________________________________________________________________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
Diego Tártara
[EMAIL PROTECTED]
------------------------------------------
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
