xiaohudong wrote:
>
> Hi,
> Thanks for Coronado's answer first.
> But I think my problem is not that.
> I generated three certificates,one is self siged for CA,one is for IIS server,and
> the last one is for IE.The last two are siged by the first one.
> I get every certificate in the right place(I think so:-),I just describe the
>situation in IE,the CA certificate is imported to the trusted root CA category,
> the IE's certificate is imported to the personal category,after installed,I view
> the ceritficates,IE said that there is no problem.
> When I connected to the IIS server,the server's certificate is accepted by IE,
> but the personal certificate don't have the fortune,It seens that IE can't find it
> or don't think it can used for signing myself.
> Oh my god,save me!(Does god know certificate?)
>
The usual reason for this is a misconfigured server. Specifically the
server needs to have your CA installed so it can send it back to the
client in its "acceptable CA" list. The client will only give you a
choice of certificates signed by CAs the server considers acceptable.
You can check the list by connecting with OpenSSL s_client utility and
seeing what list it sends. You may need the -prexit option and also
getting an appropriate page, e.g.
openssl s_client -connect myhost.com:443 -prexit
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
