Situation: Need to be able to generate Client Certificates for users in order to use SSLVerifyClient 2. I cannot successfully connect the first user to the server (after I figure out how to connect first client, the rest will be easy) Here are the details: Apache/1.3.19 Ben-SSL/1.42 (Unix) OpenSSL 0.9.6a SunOS 5.6 SSL directives from httpd.conf: # SSL configs SSLEnable SSLCacheServerPort 12345 SSLCacheServerPath bin/gcache SSLSessionCacheTimeout 3600 SSLCertificateFile /some/path/to/certs/new.cert.cert SSLCertificateKeyFile /some/path/to/certs/new.cert.key SSLCACertificatePath /some/path/to/certs SSLVerifyClient 2 SSLVerifyDepth 1 Created test certificate fo the server from the http://www.apache-ssl.org/#FAQ openssl req -new > new.cert.csr openssl rsa -in privkey.pem -out new.cert.key openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365 Then did the following from http://www.drh-consultancy.demon.co.uk/pkcs12faq.html#nsissues CA.pl -newca CA.pl -newreq CA.pl -signreq openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -certfile demoCA/cacert.pem -name "MY CERTIFICATE" -out mycert.p12 imported mycert.p12 into Netscape 4.72. Security -> Certificates -> Yours : Verified "MY CERTIFICATE" OK Security -> Certificates -> Signers : Verified the test signer I get the following from Netscape: "The site "webserver" has requested client authentication, but you do not have a Personal Certificate to authenticate yourself. The site may choose not to give you access without one" Click OK Netscape: Error "An I/O error occurred during security authorization. Please try your connection again" httpsd_error_log: [Fri Apr 27 09:06:09 2001] [error] SSL_accept failed [Fri Apr 27 09:06:09 2001] [error] error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate I believe I am missing one very vital piece of information in order to make this work. Please help. Roger Vandenberg Nortel Networks 2745 Iris Street, Ottawa, Canada mailto:[EMAIL PROTECTED] (613) 763 8543 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
