FYI:
IE5 (and other versions) are looking for certificates in a chain by checking
the DN _and_ the serial number of the certificate. So if your CA expires and
you re-certify your CA, you get the same DN but (of course) not the same
serial number. thats why the chain is broken.
Ralf Wigand
--
[EMAIL PROTECTED]
Webmaster - MicroBIT - CA-Leiter - RZ-Pools
> -----Original Message-----
> From: Ralf Wigand [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, April 03, 2001 5:58 PM
> To: [EMAIL PROTECTED]
> Subject: chain changed...
>
>
> hi!
>
> have a (urgent :-) problem: using apache with mod_ssl:
>
> have a chain of: CA1 - CA2 - CA3 - server
>
> Client (MSIE5.0) could successfully verify the complete chain.
>
> now the certificate of CA3 expired, so the CA2 signed the same request
> CA3 sent a year ago again. I built a new chain file, and
> openssl s_client etc... shows the new certificates are delivered,
> but...
>
> the client (MSIE 5.0) now says that the chain could not be verified.
> Client cannot even verify CA3. Is there a cache? Did I something wrong
> with the resigning of the request? Is there another way of
> handling expired
> CAs.
>
> TIA.
>
> Ralf Wigand
> --
> [EMAIL PROTECTED]
> Webmaster - MicroBIT - CA-Leiter - RZ-Pools
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
