Re: Problem working with RSA certs?

Tue, 01 Mar 2005 05:04:33 -0800 

> That's one problem although Netscape Cert Type is largely obsolete some
> clients use it.
> 
> The other problem is:
> 
>              X509v3 Key Usage: critical
>                  Key Encipherment, Data Encipherment, Key Agreement
> 
> "Key Agreement" makes no sense for an RSA certificate since its DH only.
> 
> The main problem is that "Digital Signature" isn't set which mean the
> certificate can't be used for signing. Client authentication needs signing so
> Netscape and MSIE wont use this certificate.
> 
> Technically the certificate isn't usable with all ciphersuites either since
> some use signatures but many clients and servers tolerate this.


Steve,

THANKS!  I got a new cert, and it's now working.  They thought they had
things correctly configured, but with the info you provided, we got
things straightened out.  Here's one of the working ones:

E:\OpenSSL\bin>openssl x509 -in user5-atest3.cer -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            a7:75:bc:83:8f:eb:2c:8a:46:3f:dd:66:af:62:5a:b9
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=ATest3 Org, OU=ATest3 OU, CN=ATest3 ROOT
CA/emailAddress
[EMAIL PROTECTED]
        Validity
            Not Before: Mar  1 04:09:50 2005 GMT
            Not After : Feb 27 09:20:02 2012 GMT
        Subject: C=US, O=ATest3 Org, OU=ATest3 OU,
CN=USER5-ATEST3/emailAddress=
[EMAIL PROTECTED]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:f2:f3:fc:c6:64:cf:e2:fc:9c:76:fc:6c:da:d6:
                    8f:96:04:4e:1a:e8:46:3a:97:2e:11:de:14:af:00:
.
<snip>
.
                    3a:b8:94:28:5d:ca:6e:23:f9:79:84:74:83:98:49:
                    13:52:e7:1b:f3:fb:96:43:01
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            Netscape Cert Type:
                SSL Client
            X509v3 Authority Key Identifier:
               
keyid:55:90:95:CC:D3:E5:3B:7C:5C:41:27:DB:1F:30:04:A4:DE:A3:D4:B
A

            X509v3 Subject Key Identifier:
               
77:6A:F2:84:B1:30:D3:D4:08:AD:11:00:CE:D5:B6:82:E2:77:04:BD
    Signature Algorithm: sha1WithRSAEncryption
        91:89:74:d8:4b:75:28:4f:06:ab:b4:5d:a6:a7:8b:3d:5e:e4:
        91:09:86:fa:ed:eb:ee:5f:0e:41:ea:25:2e:38:b1:de:20:2c:
.
<snip>
.
        82:d4:70:f8:cf:9a:89:22:aa:b6:f8:0e:38:41:19:12:99:98:
        88:c7

Jim
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to