You need to install the root certificate into the clients browsers. You can distribute root certificates to clients by incliding the root certificate within the pkcs12 file or
As all browsers act differently in accecpting certificates I use a perl script get to format the certificate for the presented browser and add some javascript to help send the cert straight to the clients browser. ----- Original Message ----- From: "Sunil Dangwal" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 17, 2001 7:50 PM Subject: Re: using own CA certs with various clients > Try converting into pkcs12 and then import > openssl pkcs12 -export -in file -inkey key -certfile cert -out outfile.p12 > > ----- Original Message ----- > From: "Steve Barnes" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, October 17, 2001 2:41 PM > Subject: RE: using own CA certs with various clients > > > > > > I have the same problem... (sort of).. > > > > I have been trying a similar thing, and failing... I'm trying to be my own > > CA and generate a server cert so I can enable SSL on a IIS4 webserver. > > > > I made myself a CA by running the command... > > > > #openssl req -new -x509 -newkey rsa:1024 -md5 -keyout > ./certs/CAkey.pem -out > > ./certs/CAcert.pem -days 365 > > > > Then I made a Certificate request in IIS Key Manager and signed it using > the > > command... > > > > #openssl ca -policy policy_match -days 365 -md md5 -out > > ./certs/iis-ssl-cert.pem -keyfile ./certs/CAkey.pem -cert > ./certs/CAcert.pem > > -outdir ./certs -infiles ./certs/iis-ssl-req.txt > > > > ... where iis-ssl-req.txt is the file from IIS Key Manager. > > > > I can then import the cert into IIS Key Manager and enable Secure Channel > > for my web server, but when I connect to https://secure-server, it gives > me > > an error saying the cert is ok apart from the fact that it was " issued by > a > > company you have chosen not to trust ". When I try importing the cert into > > IE, it imports it ok, but then it doesn't appear in the " Trusted Root > > Certificate Authorities ". So everytime I go to the site, it gives me the > > same error.... over & over.... > > > > If I rename the file from 'iis-ssl-cert.pem' to 'iis-ssl-cert.cer', > Windows > > Exploder recognises it as a Security Certificate, when i double click, I > get > > " Windows does not have enough information to verify this certificate " > > > > > > Any way.... I'm lost... I've gotten this far and it's really bugging me > > now... > > > > Can anyone help...????????? > > > > > > > > > > -----Original Message----- > > From: Sean O'Riordain [mailto:[EMAIL PROTECTED]] > > Sent: 17 October 2001 09:53 > > To: [EMAIL PROTECTED] > > Subject: Re: using own CA certs with various clients > > > > > > under windows 2000 (and nt4 afaik) with outlook 2000 and IE5 (don't know > > if works for "less" than this) you can install the certificate in each > > client by hand quite easily... if the file name has ending ".cer" then > > windows appears to recognize it and calls it "Security Certificate"... > > double click on this and hit "Install Certificate..." / Next / Next / > > Finish / OK / OK ... thats it... > > > > getting the cert to the client is another matter :-) > > > > Sean > > > > Haikel wrote: > > > > > > Hello, > > > > > > I think you have to install the CA certificates in your client > > > browser. I know two techniques you can use: > > > > > > 1. your client can download your CA certificate from you web site ( > > > you need to use the mime type application/x-x509-ca-cert in your > > > httpd.conf file) > > > 2. or you can generate, for each one of your end users, a PKCS#12 > > > file containing his private key his certificate and your > > > CA certificate > > > > > > I' hope that my answer, be helpful > > > bye > > > > > > Zachary Denison a écrit : > > > > > > > Hi, > > > > > > > > I am using openssl to secure a number of services in > > > > my organization: http, imap, smtp, ldap etc... > > > > > > > > For our internal servers we have been able to generate > > > > CA certs with openssl and sign our own certificates > > > > and all the services work great, EXCEPT the client > > > > software always complains that the certificate chain > > > > doesn't end with a trusted CA. I am speaking > > > > specifically about MS-outlook and netscape. outlook > > > > complains every single session where netscape at least > > > > gives you the option to accept the certificate > > > > forever. > > > > Anyway I am sure other clients would complain too. > > > > > > > > My question is how can I prevent these messages, how > > > > can I get the client software to trust our own CA > > > > cert. On the web I searched and someone said to make > > > > a pkcs12 client cert.. anyway I tried that in a number > > > > of ways and it didnt work... And I really dont care > > > > about verifying the client... I to just make the > > > > client trust the homegrown ca. > > > > > > > > Any help would be much appreciated. > > > > Thanks > > > > Zachary. > > > > > > > > __________________________________________________ > > > > Do You Yahoo!? > > > > Make a great connection at Yahoo! Personals. > > > > http://personals.yahoo.com > > > > > > > > _____________________________________________________________________ > > > > > > > > OpenSSL Project > > > > http://www.openssl.org > > > > User Support Mailing List > > > > [EMAIL PROTECTED] > > > > Automated List Manager > > > > [EMAIL PROTECTED] > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > > > > > > The information contained in this e-mail transmission is confidential > > and may be privileged. It is intended only for the addressee(s) stated > > above. If you are not an addressee, any use, dissemination, distribution, > > publication, or copying of the information contained in this e-mail is > > strictly prohibited. If you have received this e-mail in error, please > > immediately notify our IT Department by telephone at 353-1-6769333 > > or e-mail [EMAIL PROTECTED] and delete the e-mail from your > > system. > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
