Tim Bouwer wrote:
[...]
> properly which is the problem. As far as I can see the browser has the
> cert - netscape says Certificate not trusted
> if I click on "verify" though... but I assume that is because it is issued
> by my CA server and not one of the
> main CA's out there?
No, that's because you did not imported the CA certifcate into the browser.
> I need to be clear on what to do with the certificates.
> 1. I must generate a self signed certificate from the web interface (CA
> Management) - this certificate must become the cert that my web server uses
> when it starts up (both the CA and the RA server use the same cert?)
Yes, this is the CA certificate: it is used to issue new certificates, it
is not the web server's certificate. When the CA certificate is created then
you can use the bin/issue_certs.bin script to issue the web servers
certificates.
> 2. I must generate a user cert which I import into my browser. Do I also
> have to import something else into my browser?
Yes, the CA certificate - this will give you the ability to correctly
verify your certificate from Netscape.
Check the cgi-secure/ directory and take a look at the secure.cnf config.
There take a look at the "CACert" line. You have to put the CA certificate
(you find it into the $ca_dir/ ) where the CACert keyword points.
Then you'll be able to download it into your browser using the secure
server.
> The cert I generated and self-sign on the CA server: At the moment when I
> do that and try to connect to the web site I get: SSL handshake failed -
> OpenSSL library error 14094412:SSL routines:SSL3_READ_BYTES: sslv3 alert
> bad certificate [Hint: Subject CN in certificate not server name or
> identical to CA!?]
For the web server it is good to set the CN to the web server name (i.e.
www.secure.org) otherwise Netscape will complain about a Name Check failure.
Also be sure the mod_ssl is correctly compiled and it is meant for the
installed version of OpenSSL.
> Instead of OpenCA I out my own fictitious company name in and in the CN I
> put the web server domain name is this correct?
Yes, usually you'll want to use on the CA certificate:
CN=Certification Authority
O=Your Organization Name
C=CA's Country
For web server certificates:
CN=www.yourdomain.net (*)
OU=Web Server (**)
O=Your Organization Name
C=CA's Country
Where:
(*) I have also seen CN set to '*.yourdomain.net' but I don't know
if this is deprecated or not.
(**) Optional Field.
--
C'you,
Massimiliano Pala
--o-------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
[EMAIL PROTECTED]
http://www.openca.org Tel.: +39 (0)59 270 094
http://openca.sourceforge.net Mobile: +39 (0)347 7222 365
S/MIME Cryptographic Signature