Re: Newbie questions update ....

[Steve Ankeny]

Very good suggestions!  Thanks
I will not have time to try these until this evening, but I will report 
any errors, etc.  You guys are the best.

Dr. Stephen Henson wrote:
On Sat, Sep 11, 2004, Steve Ankeny wrote:

Sorry about the html ....
First of all, I am using Mozilla.  I never use IE

What version of Mozilla are you using? If you have a newer version then you
will have an "Import" button. You select Edit->Preferences->Private &
Security->Certificates. Then click on "Manage Certificates" and the
"Authorities" tab. Then try the "Import" button. 

If, as I suspect, you are trying the "Import" button under "Your certificates"
then it will expect a PKCS#12 file.

Secondly, every time I try to import the 'server.crt' it complains that 
it is not in 'pkcs12' format.

Thirdly, the CA.pl "guides" are just as confusing as the OpenSSL guides.

You just need the examples. This will do the trick...
CA.pl -newca
CA.pl -newreq
CA.pl -signreq
The CA certificate is then in demoCA/cacert.pem, the new certificate in
newcert.pem and the private key in newreq.pem.

I have yet to find a clear-cut description of how to create your own CA; 
certificate signing requests and certificates without finding error 
somewhere in the commands.  No one has been clear on this subject.


Well if you get errors with the above commands please say what they are, that
is assuming they aren't answered in the FAQ.

You are correct in your observation that I should be able to connect 
without importing the certificate.  But I don't know what is wrong.



It would help if you said what error Mozilla is giving.
Well you can check the webserver is OK using OpenSSLs s_client command:
openssl s_client -connect myhostname.org:443
If that connects OK then at least the secure server is running and seeing the
certificates. Then the error might be that Mozilla doesn't like the
certificates: some "guides" suggest ways that produce invalid certficates.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

--
"Well, you know what my dad always said?  Having dreams is what makes 
life tolerable!"
						-- Pete, Rudy's friend
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]