Re: R: Cert signed by own CA and IE

Sun, 20 May 2001 03:40:40 -0700 

Genkin.

I think I know what your problem is.
You must add the issuer of the certificate to the certificate chain. The
problem is that IE doesn't have the ROOT (isuuer) for the certificate and it
must have the entire chain to consider it trusted.
Place the issuer (I think Thpoon CA) to the certificate chain (usually
ca-bundle.pem) so mod_ssl has a way to offer the entire certification chain
to the browser.
Right now this is not happening as IE can not retrieve the ROOT certificate
from the sesion.

Hope it works, drop me a line

Diego

----- Original Message -----
From: "Arcady Genkin" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, May 16, 2001 10:01 PM
Subject: Re: R: Cert signed by own CA and IE


> "Andrea Cerrito" <[EMAIL PROTECTED]> writes:
>
> > > > > Connecting to a secure site with a certificate signed by own CA,
IE
> > > > > seems to provide no obvious way of permanently adding the cert to
the
> > > > > browser's configuration.  As a result, a warning that "The
security
> > > > > certificate is issued by a company you have not chosen to
trust..." is
> > > > > displayed every time I'm trying to establish a connection.  Is
there a
> > > > > fool-proof way to permanently add a certificate or tell IE that
the CA
> > > > > is to be trusted?
> > > >
> > > > Show Certificate / Install Certificate.
> > >
> > > I tried that, and it didn't work.  It told me that the certificate was
> > > installed successfully, but once I quit IE, restart it, and load the
> > > page again, it displays the same warning again.
> > >
> > > The minimal html page I'm experimenting with is at
https://www.thpoon.com
> > > If anyone would try to install the certificate from it in IE: maybe I
> > > did something wrong with configuration?
> >
> > I wasn't able to install it.  Can u print your conf?
>
> You mean from httpd.conf?  Since it's huge, I've posted it at
>
>   http://www.thpoon.com/tmp/httpd.conf
>
> rather than sending to the list.  The SSL-related stuff is at the
> bottom of it.
>
> Thanks!
>
> p.s.  This is a repost, since I have replied from a different email
> address than the one I've subscribed from and I'm afraid that it
> didn't come through.  Sorry if this is a dupe.
> --
> Arcady Genkin
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
> User Support Mailing List                      [EMAIL PROTECTED]
> Automated List Manager                            [EMAIL PROTECTED]

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to