Date sent: Fri, 19 Jan 2001 20:01:53 +0000
From: Dr S N Henson <[EMAIL PROTECTED]>
Organization: S N Henson
To: [EMAIL PROTECTED]
Subject: Re: Win32 CA signed Apache Server-Netscape .CRT Problem
Send reply to: [EMAIL PROTECTED]
Dr. Henson
As I stated before, Netscape never gets to the point of asking if I am
willing to accept the bad cert. It just displays the message about the
fact it cannot read the cert and stops. If I use the "good" cert that
was signed on Linux, then it will accept the cert and will ask if I want
to enter it into the database. At first I said yes, just to make sure
that would work and it did. I then did as you recommended and
deleted it from the database. Do you need the ca cert and key as
well?
I will put together a zip file and send all of them to you as soon as I
resolve a production problem we are currently having. Thanks for
the offer for assistance.
Ken
"Kenneth R. Robinette" wrote:
>
>
> The .csr/.key is generated using the following commands:
>
> openssl genrsa -out server.key 1024
> openssl req -new -config /tmp/openssl.cnf -key server.key -out
> server.csr
>
> I then sign it with the openssl ca progam with a self generated/self
> signed ca crt and key. I then transfer the resulting server.key and
> server.csr to the Unix workstation and place in:
>
> /usr/local/apache/ssl.crt/server.crt
> /usr/local/apache/ssl.key/server.key
>
> I start up the Apache server, then use the Microsoft Internet
> Explorer on Windows 98 to connect to the Apache server.
> Everything goes well, the Microsoft Explorer knows that the cert is
> signed by a CA that is in it's list of CA certs, gives the proper
> warning, etc. and it displays a dialog box asking if I wish to proceed.
> I accept the yes button and the https page is displayed correctly.
>
> I then login to the Redhat Linux system and start the Netscape client.
> It states that it has received an improperly formatted cert and does
> nothing more.
>
> I then take the .csr and .key file mentioned above, tranfer both to the
> Linux workstation and use the same openssl ca command to sign the
> cert. I then transfer the resulting .crt and .key to the locations
> shown above. I restart Apache, and try Netscape again. This time
> it is happy and does much like the Microsoft Explorer, it displays a
> dialog stating it does not know about the ca and asks if I would like
> to add it.
>
> Note that the .csr and .key are identical in both cases. In both
> cases they have been created on the Windows workstation. Note
> that the ca .crt and .key are identical in both cases. The only
> difference is where the .csr and .key file for the server.crt is signed,
> but the openssl ca program is provided the identical input and .cnf
> file in both cases.
>
> Note that in both cases, I have not imported anything into the
> Explorer or Netscape. I am simply trying to connect to the www site
> using a https: url to test the installation of the Apache/mod-ssl .crt
> and .key file.
>
Strange problem. When you accept the certificate on Netscape do you
click to accept it for the session or until it expires? Also if the two
certificates are virtually identical Netscape may have problems
distinguishing the two if one is already in its database.
See what happens if you wipe the Netscape database between the two
tests. You can do this by renaming the key3.db and cert7.db files
usually found under ~/.netscape .
Also see if you get similar results with the s_server utility.
If none of that helps send me the various certificate files and I'll see
if I can see anything that might cause this.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__________________________________________________
Support
InterSoft International, Inc.
Voice: 888-823-1541, International 281-398-7060
Fax: 888-823-1542, International 281-560-9170
[EMAIL PROTECTED]
http://www.securenetterm.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
