> On Monday 17 November 2003 18:00, Gottfried Scheckenbach wrote: > >> > 5. Import the CSR into the Root RA and get the Root CA to sign. >> >>Don't forget to change (on root-ra) the Role in CSR to Sub-CA! >> >> > 7.5 Run make in the chain directory. >> > >> > 8. Rebuild the Sub CA chain. >> >>Step 7.5 is done by step 8 (I think - I didn't run make). I have also >>placed the root-ca cert into chain directory on ra... I don't know if >>it's really nessecary but it makes no problems ;-)
sorry, perhaps I gave you a wrong hint - but I don't know it better... I have also a strange problem eventually connected with chaining too: My sub-ca crl has the issuer of the root-ca - see my mails from 2003/11/17. The problem isn't solved, yet.
> OK, I have done all of this, but when I test a client certificate using the
> "Test Certificate" link in the Public server I get the same old error:
>
> "The signature is not valid. PKCS#7-Error 7932021: OpenCA::PKCS7->parseDepth:
> The chain is not complete. (6102).
I can't check this because in my installation I use at the moment non ssl secured ra and ca interfaces. Thus the browser get's no request for presenting his client certificate...
But in my case, the following scenarios work without problems:
- Importing root-ca cert in IE and Mozilla Users see then only the root-ca cert in cert management - Importing user-cert and private Key via pkcs12 Users see then their own cert and sub-ca cert in cert management - In Mozilla and IE/Outlook all user certs are valid - With Mozilla signatures, sig verification, en- and decryption work - With Outlook signatures, sig verification, decryption work encryption fails with some error
And I have set up the ocsp responder and this seems to work with Mozilla too.
> On the screen the issuers DN is that of the sub CA cert.
This seems ok...
> If I run the command "openssl pkcs7 -in sig -print_certs -noout"
>
> I get the subject as the cert that was used to sign and the issuer as the sub
> CA cert. There is no root CA cert.
Ok, I checked the pkcs12 file which I first time imported into my Mozilla:
[EMAIL PROTECTED]:/xtelligent/home/gosc/X_tmp> openssl pkcs12 -in gottfried_scheckenbach.p12 -clcerts Enter Import Password: MAC verified OK Bag Attributes localKeyID: 84 CB DA 6B 84 EA A0 05 41 88 2B E6 EC 8F 1D 5E 3A B9 67 A1 subject=/C=DE/O=Xtelligent/OU=Trustcenter/O=Xtelligent IT Consulting GmbH CA/OU=Interne Mitarbeiter/CN=Gottfried Scheckenbach/SN=1 issuer= /C=DE/O=Xtelligent/OU=Trustcenter/O=Xtelligent IT Consulting GmbH CA/OU=TCOperating/CN=Operator Xtelligent IT Consulting GmbH CA/SN=3 -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- Bag Attributes localKeyID: 84 CB DA 6B 84 EA A0 05 41 88 2B E6 EC 8F 1D 5E 3A B9 67 A1 Key Attributes: <No Attributes> Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,C39E63178DF2FE2C
... -----END RSA PRIVATE KEY-----
Here we have the client certificate - subject and issuer are ok.
[EMAIL PROTECTED]:/xtelligent/home/gosc/X_tmp> openssl pkcs12 -in gottfried_scheckenbach.p12 -cacerts Enter Import Password: MAC verified OK Bag Attributes: <Empty Attributes> subject=/C=DE/O=Xtelligent/OU=Trustcenter/O=Xtelligent IT Consulting GmbH CA/OU=TCOperating/CN=Operator Xtelligent IT Consulting GmbH CA/SN=3 issuer= /C=DE/O=Xtelligent/OU=Trustcenter/O=Xtelligent Root CA/OU=TCOperating/CN=Operator Xtelligent Root CA/[EMAIL PROTECTED] -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- Bag Attributes localKeyID: 84 CB DA 6B 84 EA A0 05 41 88 2B E6 EC 8F 1D 5E 3A B9 67 A1 Key Attributes: <No Attributes> Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,A56D8AC3DAE5F215
... -----END RSA PRIVATE KEY-----
And here we have the ca certificates - subject and issuer are also ok and no root-ca cert. When I export the same cert off my browser, I get the same output but in case of the cacerts I get the root-ca cert too.
> If I install the sub and root CA certs into IE
You shouldn't have to install the sub-ca cert manually... I get it after first import of pkcs12 file - no wonder, cause it's inside... (which I have not known before but otherwise there would be no chance to do the job ;-).
> This is driving me round the bend, as until I can get these signatures sorted
> out I can not use the batch processes on the CA to automate the CA
> procedures.
Give it another chance: Generate a basic request and export your Key/Cert to pkcs12. Then compare it with my exports. I can't show you pkcs7 exports because I don't use client side generated keys/CSR and - soewhat silly - my test ca is not yet installed...
Hope this helps something!
Regards, Gottfried
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
