On Friday 13 October 2006 08:21, BB wrote: > > Are you able to post the certificate here? It sounds like the issue may > > be the > > key usage, or an entry in some other field - I've seen results like this > > if > > you don't have key agreement set, or some of the other fields mangled, or > > particular security settings enabled in your certificate. > > Hi, > > Please find attached the CA cert and the server cert. > > I can successfully import the CA cert into IE, under Trusted Root > Certification Authorities. > > If I download the server cert and open it from Windows (XP), it's > description says: > > "This certification authority does not appear to be allowed to issue > certificates or cannot be used as an end-entity certificate." > And that would most likely be your problem - the CA Certificate should have the following extensions:
Basic Constraints: CA:TRUE Key Usage: DigitalSignature, CertificateSign, CrlSign If you re-gen your CA Certificate with those usages, and then re-sign your Server certificate (which itself, should have the Key Usage extension set to digital Signature and key Encipherment), your issue should go away :) -- Patrick Patterson President and Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]
