> From: owner-openssl-us...@openssl.org On Behalf Of Jean Brico
> Sent: Sunday, 28 August, 2011 09:40
> I'va a CA in a Debian host that works fine and use scripts in
openssl
> I've a 2003 Server with a HTTPS site. It owns its certificate
generated by this CA.
> When a XP client connect to this site with
"http://www.secure.local";,
> a message show me that I try to connect to a secure site.
> My problem: I modify the configuration of my server: I want now
clients
> to authenticate them.
(Small aside: authenticate is not reflexive in English. The clients
authenticate;
or the server authenticates the clients; or the server verifies the
clients.)
> When a XP client connect to this site with
"http://www.secure.local";,
> a message show me that I have to select a certificate to authenticate me.
> In this windows, no certificate appears.
> But a certificate for my user had been generated by the CA, and
installed
> in the web browser. This certificate is too in the MMC with all others
> certificates. The certificate is good, with the certificate of the CA.
If you mean installed using Internet Explorer "Options", that's not really
*in* the browser; it's on the browser menu, but it's actually in Windows.
When you see it in MMC/certmgr, that confirms it's in Windows. And available
to any program using the Windows store, apparently including your XP client.
> With a certificate created by Mircosoft CA (with web site
"certsrv"),
> all is fine: the windows show me user certificates. I've only to select
> one to connect to secure web site.
The CA name (issuer) of the Microsoft-issued certificate is presumably
different. Is the server configured to request/demand a client certificate
using the CA name of the Microsoft CA? Of your Debian CA? Both? Neither?
If you can't determine this by looking at the server:
- with OpenSSL commandline on any machine that can reach the server
'openssl s_client -connect server:port -state -debug' and look at
the server's CertificateRequest message to see what it's asking for;
the format is in RFC 2246 or 4346 but the CertReq message consists
almost entirely of a sequence of DNs which are mostly readable.
- install WireShark (www.wireshark.org) on the Windows client machine
and use it to monitor a connection attempt. It will decode the CertReq
(and other messages) for you.
> I've compared the two certificates, and i've only found a
difference:
> in Microsoft user certificate, I've:
> "use of the key: cypher of data (f0)" (translated from french).
> In my certificate generated with openssl, I don't have this line.
> Here is a part of the file used to generate user certificate:
> keyUsage = digitalSignature, nonRepudiation,
keyEncipherment
> I don't see anything like "cypher of data". What to write to add
this ?
> Is my problem going from tis point ?
That sounds like the keyUsage bit dataEncipherment, and OpenSSL CA can
set it. But SSL never *does* dataEncipherment using a certificate/key,
so this bit should not be needed or make any difference.
I think the problem is more likely 'requested client CA-name(s)'.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
