On Mon, Feb 28, 2005, ohaya wrote: > Hi, > > I've figured out how to get the "openssl s_client" to display the list > of CAs: > > 1) Run: openssl s_client -connect host:port -prexit > > 2) When it pauses, type in a "GET": GET / HTTP/1.0<Enter> > > So I am now able to see the list of CAs that the webserver is sending, > and here's an excerpt: > > . > . > /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE > CyberTrust... > /[EMAIL PROTECTED]/C=us/O=ATest1Dept/OU=ATest1Co/CN=ATest1 > /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits > liab.)/OU... > . > . > > The test CA's cert appears to be among them (the "CN=ATest1"), and I've > now tested with both IE and Netscape, but neither of these will display > the client cert that was issued by the test CA!! > > Does anyone have any idea why this might be happening? >
The certificate you have might not be certified for client authentication or the root CA might not be trusted for client authentication. See what happens when you do: openssl x509 -in clcert.pem -text -noout Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
