Does this also affect/fix the problems I've seen with self-signed CERTs with Eudora and with Mulberry?
Quoting Brian C Hill ([EMAIL PROTECTED]): > I finally figured out the problem with both Netscape and OE by > reviewing Mark D. Baushke steps: > > http://www.mail-archive.com/[email protected]/msg24931.html > > It seems that the CA must sign itself first before it can be > used to sign other certs. Doing that fixed both the Netscape and the OE > problems (though the exact commands I used were a little different). > > Now I can use self-signed certs without a lot grief for my > users. > > Brian > ====================================================================== > On Thu, May 02, 2002 at 11:18:36AM -0700, Brian C Hill wrote: > > Hello, > > > > Since I cannot find an answer to this particular problem > > anywhere (after looking of looking at easily more than 100 web site > > refs), I figure I must be doing something very obviously wrong. I have > > found a lot discussion, but nothing that has worked. > > > > I used the following procedure from qualcomm to generate a > > self-signed cert to use with qpopper 4.0.3: > > > > ## make CA > > # make private key > > openssl genrsa -des3 -out ca.key 1024 > > # make public key (cert) > > openssl req -new -x509 -days 365 -key ca.key -out ca.crt > > ## make private/pub key (cert) > > openssl req -new -nodes -out req.pem -keyout cert.pem > > ## sign cert with CA cert > > openssl x509 -req -CA ca.crt -CAkey ca.key \ > > -days 365 -in req.pem -out signed-req.pem -CAcreateserial > > cat signed-req.pem >> cert.pem > > # set perms > > chmod 600 cert.pem > > chown root:0 cert.pem > > > > OE 5 had no problem with this at all. > > > > This works with OE 6, but no matter how I import the > > certificate, I cannot get OE to shut up about the cert not being > > verifiable. I assume that I should be importing the CA cert that I > > generated into the root store. Is that not right? I saw one reference > > to problems with the name being a CNAME, which mine is, but that seems > > suspicious. > > > > Netscape 6.2.2 says that the connection was refused but > > qpopper's syslog entries clearly show a connection. The real problem > > seems to be that Netscape doesn't like the certificate. I 'restoring' > > the cert into the Netscape, but it doesn't like it. The syslog output: > > > > May 2 11:12:05 host.domain.tld /usr/pkg/qpopper/sbin/popper[15111]: [ID 702911 >local3.notice] OpenSSL error during handshake > > May 2 11:12:05 host.domain.tld /usr/pkg/qpopper/sbin/popper[15111]: [ID 702911 >local3.notice] ...SSL error: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert >bad certificate > > May 2 11:12:05 host.domain.tld /usr/pkg/qpopper/sbin/popper[15111]: [ID 702911 >local3.notice] TLS/SSL Handshake failed: -1 > > > > I have not tried this personally with Eudora, but one user said > > it worked and I am not surprised since Eudora and qpopper both come > > from qualcomm. > > > > I have to guess my steps leave out something obvious... > > > > I will be happy to give out the name to anyone who wants to > > play with it, but I don't want it to show up in archives. > > > > Thanks for help. > > > > Brian > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > > -- > _____________________________________________________________________ > / Brian C. Hill [EMAIL PROTECTED] http://brian.bch.net \ > | Unix Specialist BCH Technical Services http://www.bch.net |
