Tim Bouwer wrote:

[...]
> properly which is the problem.  As far as I can see the browser has the
> cert - netscape says Certificate not trusted
> if I click on "verify" though... but I assume that is because it is issued
> by my CA server and not one of the
> main CA's out there?

No, that's because you did not imported the CA certifcate into the browser.

> I need to be clear on what to do with the certificates.
> 1.  I must generate a self signed certificate from the web interface (CA
> Management) - this certificate must become the cert that my web server uses
> when it starts up (both the CA and the RA server use the same cert?)

Yes, this is the CA certificate: it is used to issue new certificates, it
is not the web server's certificate. When the CA certificate is created then
you can use the bin/issue_certs.bin script to issue the web servers
certificates.

> 2.  I must generate a user cert which I import into my browser.  Do I also
> have to import something else into my browser?

Yes, the CA certificate - this will give you the ability to correctly
verify your certificate from Netscape.

Check the cgi-secure/ directory and take a look at the secure.cnf config.
There take a look at the "CACert" line. You have to put the CA certificate
(you find it into the $ca_dir/ ) where the CACert keyword points.

Then you'll be able to download it into your browser using the secure
server.

> The cert I generated and self-sign on the CA server:  At the moment when I
> do that and try to connect to the web site I get: SSL handshake failed -
> OpenSSL library error 14094412:SSL routines:SSL3_READ_BYTES:  sslv3 alert
> bad certificate [Hint: Subject CN in certificate not server name or
> identical to CA!?]

For the web server it is good to set the CN to the web server name (i.e.
www.secure.org) otherwise Netscape will complain about a Name Check failure.
Also be sure the mod_ssl is correctly compiled and it is meant for the
installed version of OpenSSL.

> Instead of OpenCA I out my own fictitious company name in and in the CN I
> put the web server domain name is this correct?

Yes, usually you'll want to use on the CA certificate:

        CN=Certification Authority
        O=Your Organization Name
        C=CA's Country

For web server certificates:

        CN=www.yourdomain.net (*)
        OU=Web Server (**)
        O=Your Organization Name
        C=CA's Country

Where:

        (*) I have also seen CN set to '*.yourdomain.net' but I don't know
            if this is deprecated or not.

        (**) Optional Field.

-- 

C'you,

        Massimiliano Pala

--o-------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager]                [EMAIL PROTECTED]
                                                     [EMAIL PROTECTED]
http://www.openca.org                            Tel.:   +39 (0)59  270  094
http://openca.sourceforge.net                    Mobile: +39 (0)347 7222 365

S/MIME Cryptographic Signature

Reply via email to