On Mon, Feb 28, 2005, ohaya wrote:
>
> >
> > The certificate you have might not be certified for client authentication or
> > the root CA might not be trusted for client authentication.
> >
> > See what happens when you do:
> >
> > openssl x509 -in clcert.pem -text -noout
> >
> > Steve.
>
>
> Steve,
>
> Thanks for replying. Here's what I got from one of the client certs:
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> f2:68:25:dd:e7:03:b1:aa:42:e4:2d:f1:aa:fe:92:a0
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: [EMAIL PROTECTED], C=us, O=ATest1Dept, OU=ATest1Co,
> CN=ATest1
> Validity
> Not Before: Feb 28 09:57:29 2005 GMT
> Not After : Feb 27 09:21:29 2008 GMT
> Subject: [EMAIL PROTECTED], C=us, O=ojl1ca1, OU=oujl1ca1,
> CN=jl1ca1
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:b9:e1:c8:a4:8f:91:4a:45:92:56:17:35:bb:67:
> c2:1a:11:56:ed:74:7d:3c:ee:70:a6:bf:e9:97:d0:
> 57:3e:b6:34:73:be:b6:a9:e1:90:d6:8e:2f:d3:8e:
> 2a:71:d9:c1:81:fc:2e:0c:a5:fb:90:33:19:c6:7f:
> 4d:c7:5f:29:3f:26:7d:6e:40:41:78:51:7f:8a:cf:
> 4f:53:b6:95:3c:5b:d0:f0:51:5f:c4:31:53:b5:d1:
> f5:b5:45:70:60:6f:b7:bf:3a:91:15:e2:40:1f:06:
> 04:51:de:25:f2:42:a8:d6:34:a7:9d:21:a7:c7:91:
> e7:39:2b:9c:7f:bc:a7:e6:0b
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Authority Key Identifier:
>
> keyid:D8:BA:5E:77:CE:9B:01:07:8F:C0:1D:F8:85:D5:BC:C3:AC:7E:8E:DE
>
> X509v3 Key Usage: critical
> Key Encipherment, Data Encipherment, Key Agreement
> Netscape Cert Type:
> SSL Server
> X509v3 Subject Alternative Name:
> DNS:your.server.address.com
> X509v3 Subject Key Identifier:
>
> 2B:2C:87:F1:3D:1D:12:84:DA:14:13:86:55:C7:45:D6:79:70:FB:0E
> Signature Algorithm: sha1WithRSAEncryption
> 05:b9:de:d3:15:ad:04:73:42:d1:fd:76:ed:24:91:2c:0a:75:
> 1e:41:bb:0a:35:c3:9f:7d:fa:ad:4e:30:55:16:1f:72:a9:94:
> a9:f2:23:75:80:95:56:53:d1:ff:94:64:ae:05:5d:0d:dc:60:
> 82:5e:ca:dd:ea:5c:9f:26:32:e2:fa:78:71:41:83:83:99:09:
> 2e:ff:04:b8:dc:93:e8:9f:3e:19:b0:d9:98:6f:32:59:53:78:
> 97:99:67:9f:68:69:c3:dc:dc:5c:64:8a:c1:69:4c:ae:c4:72:
> 60:8b:4b:00:7f:58:55:14:7f:7e:2a:ef:1d:45:fd:a5:cc:50:
> 7d:5c
>
> Is the problem "Netscape Cert Type" showing only "SSL Server"?
>
That's one problem although Netscape Cert Type is largely obsolete some
clients use it.
The other problem is:
X509v3 Key Usage: critical
Key Encipherment, Data Encipherment, Key Agreement
"Key Agreement" makes no sense for an RSA certificate since its DH only.
The main problem is that "Digital Signature" isn't set which mean the
certificate can't be used for signing. Client authentication needs signing so
Netscape and MSIE wont use this certificate.
Technically the certificate isn't usable with all ciphersuites either since
some use signatures but many clients and servers tolerate this.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
