> From: owner-openssl-us...@openssl.org On Behalf Of Kyle Safford > Sent: Monday, 25 January, 2010 11:49
> I am using Self-Signed Certificates and had a few questions about them. > When running the command to verify whether the certificate chain is valid > or not (in weblogic), I receive a message stating that the chain is invalid: > java -cp %BEA_HOME%\weblogic81\server\lib\weblogic.jar utils.ValidateCertChain > -file openca_crt.pem > However, when I leave off the -cp option, it says the certificate chain is valid. > What is the -cp option used for in determining if the certificate chain is valid, > and is it required? The -cp/-classpath jar/dirs option sets the classpath used by (this) java run (at least for the default loader). If you leave it out, your environment variable CLASSPATH is used, or if none "." (current directory). Using a different path might result in a different jar or jars being found, containing different code that produces different results. Do you believe this cert should be valid? How was it generated? Is the file just a (single) selfsigned cert, or a child cert that references some CA cert, or a partial or complete chain? Is the validation supposed to be done against a truststore (or the JRE default) that does or does not include the ss or root cert? Does the command that says it is invalid (with -cp) state a reason that agrees with these answers? > Second question is in regards to installing the certificate. Weblogic starts up > without issues, and when I go to the https link I get the following message: > "The security certificate was issued by a company you have not chosen to trust. > View the certificate to determine whether you want to trust the certifying authority." > I select the View Certificate option and install the certificate. It states that > it is installed successfully, but when I leave the site and come back I get prompted > with the same message and have to install it again. Shouldn't the first install take > care of this? (In IE) It should, assuming it's the same client (machine and browser). > When looking into this it stated that I needed to install it into the Trusted > Root Certification Authorities section. when I try that, it says it was successfully You shouldn't actually need to pick that; if the cert is selfsigned (and not for your key) "automatic" should select "trusted root". (Even if it wasn't actually used to issue any children, and I think even if it doesn't have usage allowing it to issue any children.) > installed, however it is not in that section when I go to it in Internet Explorer. > Does anyone know why this might be? Not really. There might be some permissions error(s) that would prevent it from saving, but if so it should have given an error. One specific possibility: if you're in a corporate or other group environment, (recent) Windows has features that allow a central manager (typically the IT department) to remotely lock down features and options on users' machines. I don't know if 'add trusted root' is one of them, but it very well might. But again I would expect an error message if so. >From this same IE, have you accepted/imported, and then used silently, a 'new' selfsigned or CA cert from/to any other server/site? I.e. does it not work at all, or does it not work only for this cert/server? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
