sorry, perhaps I gave you a wrong hint - but I don't know it better... I have also a strange problem eventually connected with chaining too: My sub-ca crl has the issuer of the root-ca - see my mails from 2003/11/17. The problem isn't solved, yet.
Yes, I have seen this. I do not have this problem. The issuer of my sub CA CRL is the Sub CA. This may be because I have taken the decision not to issue CRL from the Root CA.
I think, the CRL's of the CA's must be (and are) independent: the root-ca normally only signs sub-ca-certs (and administrative certs) and if one of these certs has to be revoked it must get part of the root-ca CRL. And the same principle holds for each sub-ca.
I can't check this because in my installation I use at the moment non ssl secured ra and ca interfaces. Thus the browser get's no request for presenting his client certificate...
There is a "Test Certificate" function in the public interface. This is what I am using. The client can use this function and sign a page, the signature is then checked.
Yes I know... But I get on klicking on "Test Certificate":
The relevant data about the certificate presented by the browser is the following:And klicking on "Sign" nothing happens... And this must have to with my non ssl enabled apache config (this is new stuff for me, thus I have decided to enable ssl later).
Variable Value Session Protocol: Session Chiper: Session Key Size: Server Distinguished Name: Client Authentication: Client Distinguished Name:
But perhaps it's a easy task and you can send me your config and some comments about the ssl relevant entries. Then I can make it work on the public interfaces of my root and sub-ca and I'll check this out.
But in my case, the following scenarios work without problems:
- Importing root-ca cert in IE and Mozilla Users see then only the root-ca cert in cert management - Importing user-cert and private Key via pkcs12 Users see then their own cert and sub-ca cert in cert management - In Mozilla and IE/Outlook all user certs are valid - With Mozilla signatures, sig verification, en- and decryption work - With Outlook signatures, sig verification, decryption work encryption fails with some error
Yes, all this is fine with me too !
I think that my certs are correct, I belive the problem is in the signature checking code. Although I coyld be wrong !!!
Yes, now it's clear - it seems there is a problem in the appropriate OpenCA code...
Regards, Gottfried
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
