I finally figured out the problem with both Netscape and OE by
reviewing Mark D. Baushke steps:
http://www.mail-archive.com/[email protected]/msg24931.html
It seems that the CA must sign itself first before it can be
used to sign other certs. Doing that fixed both the Netscape and the OE
problems (though the exact commands I used were a little different).
Now I can use self-signed certs without a lot grief for my
users.
Brian
======================================================================
On Thu, May 02, 2002 at 11:18:36AM -0700, Brian C Hill wrote:
> Hello,
>
> Since I cannot find an answer to this particular problem
> anywhere (after looking of looking at easily more than 100 web site
> refs), I figure I must be doing something very obviously wrong. I have
> found a lot discussion, but nothing that has worked.
>
> I used the following procedure from qualcomm to generate a
> self-signed cert to use with qpopper 4.0.3:
>
> ## make CA
> # make private key
> openssl genrsa -des3 -out ca.key 1024
> # make public key (cert)
> openssl req -new -x509 -days 365 -key ca.key -out ca.crt
> ## make private/pub key (cert)
> openssl req -new -nodes -out req.pem -keyout cert.pem
> ## sign cert with CA cert
> openssl x509 -req -CA ca.crt -CAkey ca.key \
> -days 365 -in req.pem -out signed-req.pem -CAcreateserial
> cat signed-req.pem >> cert.pem
> # set perms
> chmod 600 cert.pem
> chown root:0 cert.pem
>
> OE 5 had no problem with this at all.
>
> This works with OE 6, but no matter how I import the
> certificate, I cannot get OE to shut up about the cert not being
> verifiable. I assume that I should be importing the CA cert that I
> generated into the root store. Is that not right? I saw one reference
> to problems with the name being a CNAME, which mine is, but that seems
> suspicious.
>
> Netscape 6.2.2 says that the connection was refused but
> qpopper's syslog entries clearly show a connection. The real problem
> seems to be that Netscape doesn't like the certificate. I 'restoring'
> the cert into the Netscape, but it doesn't like it. The syslog output:
>
> May 2 11:12:05 host.domain.tld /usr/pkg/qpopper/sbin/popper[15111]: [ID 702911
>local3.notice] OpenSSL error during handshake
> May 2 11:12:05 host.domain.tld /usr/pkg/qpopper/sbin/popper[15111]: [ID 702911
>local3.notice] ...SSL error: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert
>bad certificate
> May 2 11:12:05 host.domain.tld /usr/pkg/qpopper/sbin/popper[15111]: [ID 702911
>local3.notice] TLS/SSL Handshake failed: -1
>
> I have not tried this personally with Eudora, but one user said
> it worked and I am not surprised since Eudora and qpopper both come
> from qualcomm.
>
> I have to guess my steps leave out something obvious...
>
> I will be happy to give out the name to anyone who wants to
> play with it, but I don't want it to show up in archives.
>
> Thanks for help.
>
> Brian
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--
_____________________________________________________________________
/ Brian C. Hill [EMAIL PROTECTED] http://brian.bch.net \
| Unix Specialist BCH Technical Services http://www.bch.net |
