RE: Can't (programmatically) generate browser-compatible SSL certs

[Walgamotte, David]

Title: RE: Can't (programmatically) generate browser-compatible SSL certs

make sure you common name ie. www.yahoo.com in the cert is the resolved dns name you are using to pull up the site. Also make sure you have a server certificate or intermediate.ca configured.

-----Original Message-----
From: Ng Pheng Siong [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 26, 2000 11:05 AM
To: [EMAIL PROTECTED]
Subject: Re: Can't (programmatically) generate browser-compatible SSL
certs

On Tue, Dec 26, 2000 at 11:15:36AM -0500, Rich Salz wrote:
>       [Tue Dec 26 11:11:35 2000] [error] mod_ssl: SSL handshake failed
>       (server os390.caveosystems.com:8443, client 10.139.16.1) (OpenSSL
>       library error follows)
>       [Tue Dec 26 11:11:35 2000] [error] OpenSSL: error:14094412:SSL
>       routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject
>       CN in certificate not server name or identical to CA!?]

Rich,

I don't know if this is it, but your CA cert doesn't (seem to)
contain an X.509v3 Basic Constraint that says "CA: True".

Here's what M2Crypto's CA cert (generated by CA.pl) says:

/usr/local/home/ngps/prog/m2/demo/ssl:$ python
Python 2.0 (#4, Oct 18 2000, 23:09:30)
[GCC 2.95.2 19991024 (release)] on freebsd4
Type "copyright", "credits" or "license" for more information.
>>> from M2Crypto import X509
>>> c = X509.load_cert('ca.pem')
>>> print c.as_text()
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=SG, O=M2Crypto, OU=M2Crypto CA, CN=M2Crypto Certificate [EMAIL PROTECTED]
        Validity
            Not Before: Sep 10 08:58:35 2000 GMT
            Not After : Sep 10 08:58:35 2003 GMT
        Subject: C=SG, O=M2Crypto, OU=M2Crypto CA, CN=M2Crypto Certificate [EMAIL PROTECTED]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    [...]
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                FB:87:23:69:EB:9C:3A:93:15:E5:C5:BF:29:51:4F:FE:ED:28:38:01
            X509v3 Authority Key Identifier:
                keyid:FB:87:23:69:EB:9C:3A:93:15:E5:C5:BF:29:51:4F:FE:ED:28:38:01
                DirName:/C=SG/O=M2Crypto/OU=M2Crypto CA/CN=M2Crypto Certificate Master/Email=ngps@post1
                serial:00

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: md5WithRSAEncryption
        [...]
>>>

Cheers.
--
Ng Pheng Siong <[EMAIL PROTECTED]> * http://www.post1.com/home/ngps

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]