"Kenneth R. Robinette" wrote:
>
>
> The .csr/.key is generated using the following commands:
>
> openssl genrsa -out server.key 1024
> openssl req -new -config /tmp/openssl.cnf -key server.key -out
> server.csr
>
> I then sign it with the openssl ca progam with a self generated/self
> signed ca crt and key. I then transfer the resulting server.key and
> server.csr to the Unix workstation and place in:
>
> /usr/local/apache/ssl.crt/server.crt
> /usr/local/apache/ssl.key/server.key
>
> I start up the Apache server, then use the Microsoft Internet
> Explorer on Windows 98 to connect to the Apache server.
> Everything goes well, the Microsoft Explorer knows that the cert is
> signed by a CA that is in it's list of CA certs, gives the proper
> warning, etc. and it displays a dialog box asking if I wish to proceed.
> I accept the yes button and the https page is displayed correctly.
>
> I then login to the Redhat Linux system and start the Netscape client.
> It states that it has received an improperly formatted cert and does
> nothing more.
>
> I then take the .csr and .key file mentioned above, tranfer both to the
> Linux workstation and use the same openssl ca command to sign the
> cert. I then transfer the resulting .crt and .key to the locations
> shown above. I restart Apache, and try Netscape again. This time
> it is happy and does much like the Microsoft Explorer, it displays a
> dialog stating it does not know about the ca and asks if I would like
> to add it.
>
> Note that the .csr and .key are identical in both cases. In both
> cases they have been created on the Windows workstation. Note
> that the ca .crt and .key are identical in both cases. The only
> difference is where the .csr and .key file for the server.crt is signed,
> but the openssl ca program is provided the identical input and .cnf
> file in both cases.
>
> Note that in both cases, I have not imported anything into the
> Explorer or Netscape. I am simply trying to connect to the www site
> using a https: url to test the installation of the Apache/mod-ssl .crt
> and .key file.
>
Strange problem. When you accept the certificate on Netscape do you
click to accept it for the session or until it expires? Also if the two
certificates are virtually identical Netscape may have problems
distinguishing the two if one is already in its database.
See what happens if you wipe the Netscape database between the two
tests. You can do this by renaming the key3.db and cert7.db files
usually found under ~/.netscape .
Also see if you get similar results with the s_server utility.
If none of that helps send me the various certificate files and I'll see
if I can see anything that might cause this.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
