I installed the CA Cert on my machine & hey presto !! it worked.
I think i'll email the Certs out to everyone I need to use the SSL server. Nice one !! -----Original Message----- From: Sean O'Riordain [mailto:[EMAIL PROTECTED]] Sent: 17 October 2001 11:05 To: [EMAIL PROTECTED] Subject: Re: using own CA certs with various clients sorry, I was unclear - the client needs BOTH the server cert and your CA cert. what i did was i puts the certs in a shared directory... and then each machine that wanted them just double clicked on the CA.cer and server.cer ... done... cheers, Sean Steve Barnes wrote: > > I have the same problem... (sort of).. > > I have been trying a similar thing, and failing... I'm trying to be my own > CA and generate a server cert so I can enable SSL on a IIS4 webserver. > > I made myself a CA by running the command... > > #openssl req -new -x509 -newkey rsa:1024 -md5 -keyout ./certs/CAkey.pem -out > ./certs/CAcert.pem -days 365 > > Then I made a Certificate request in IIS Key Manager and signed it using the > command... > > #openssl ca -policy policy_match -days 365 -md md5 -out > ./certs/iis-ssl-cert.pem -keyfile ./certs/CAkey.pem -cert ./certs/CAcert.pem > -outdir ./certs -infiles ./certs/iis-ssl-req.txt > > ... where iis-ssl-req.txt is the file from IIS Key Manager. > > I can then import the cert into IIS Key Manager and enable Secure Channel > for my web server, but when I connect to https://secure-server, it gives me > an error saying the cert is ok apart from the fact that it was " issued by a > company you have chosen not to trust ". When I try importing the cert into > IE, it imports it ok, but then it doesn't appear in the " Trusted Root > Certificate Authorities ". So everytime I go to the site, it gives me the > same error.... over & over.... > > If I rename the file from 'iis-ssl-cert.pem' to 'iis-ssl-cert.cer', Windows > Exploder recognises it as a Security Certificate, when i double click, I get > " Windows does not have enough information to verify this certificate " > > Any way.... I'm lost... I've gotten this far and it's really bugging me > now... > > Can anyone help...????????? > > -----Original Message----- > From: Sean O'Riordain [mailto:[EMAIL PROTECTED]] > Sent: 17 October 2001 09:53 > To: [EMAIL PROTECTED] > Subject: Re: using own CA certs with various clients > > under windows 2000 (and nt4 afaik) with outlook 2000 and IE5 (don't know > if works for "less" than this) you can install the certificate in each > client by hand quite easily... if the file name has ending ".cer" then > windows appears to recognize it and calls it "Security Certificate"... > double click on this and hit "Install Certificate..." / Next / Next / > Finish / OK / OK ... thats it... > > getting the cert to the client is another matter :-) > > Sean > > Haikel wrote: > > > > Hello, > > > > I think you have to install the CA certificates in your client > > browser. I know two techniques you can use: > > > > 1. your client can download your CA certificate from you web site ( > > you need to use the mime type application/x-x509-ca-cert in your > > httpd.conf file) > > 2. or you can generate, for each one of your end users, a PKCS#12 > > file containing his private key his certificate and your > > CA certificate > > > > I' hope that my answer, be helpful > > bye > > > > Zachary Denison a écrit : > > > > > Hi, > > > > > > I am using openssl to secure a number of services in > > > my organization: http, imap, smtp, ldap etc... > > > > > > For our internal servers we have been able to generate > > > CA certs with openssl and sign our own certificates > > > and all the services work great, EXCEPT the client > > > software always complains that the certificate chain > > > doesn't end with a trusted CA. I am speaking > > > specifically about MS-outlook and netscape. outlook > > > complains every single session where netscape at least > > > gives you the option to accept the certificate > > > forever. > > > Anyway I am sure other clients would complain too. > > > > > > My question is how can I prevent these messages, how > > > can I get the client software to trust our own CA > > > cert. On the web I searched and someone said to make > > > a pkcs12 client cert.. anyway I tried that in a number > > > of ways and it didnt work... And I really dont care > > > about verifying the client... I to just make the > > > client trust the homegrown ca. > > > > > > Any help would be much appreciated. > > > Thanks > > > Zachary. > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Make a great connection at Yahoo! Personals. > > > http://personals.yahoo.com > > > > > > _____________________________________________________________________ > > > > > > OpenSSL Project > > > http://www.openssl.org > > > User Support Mailing List > > > [EMAIL PROTECTED] > > > Automated List Manager > > > [EMAIL PROTECTED] > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > > The information contained in this e-mail transmission is confidential > and may be privileged. It is intended only for the addressee(s) stated > above. If you are not an addressee, any use, dissemination, distribution, > publication, or copying of the information contained in this e-mail is > strictly prohibited. If you have received this e-mail in error, please > immediately notify our IT Department by telephone at 353-1-6769333 > or e-mail [EMAIL PROTECTED] and delete the e-mail from your > system. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
