Re: Can i use CA signed cert to create client authentication certificates ?

[Matt Stevenson]

Hi,

Asking every time does make it complicated. I can't remember if the firefox 
default is to ask or auto supply (and it has changed behavior between 1/2/3 
AFAIK), I have it as ask every time.

Anyway the ask every time FF behavior isn't very nice for users (auto supply is 
probably fine for most users). FF will also ask for a cert every session ID 
change.

As you know there isn't an ask once option, which would be very nice.  I don't 
think there is much that can be done to fix it other than coding up an ask 
once option in FF (which I haven't got the time to do :( ).

Anyway you may also want to use/need the SSLOptions +OptRenegotiate if you 
have portions of the site that do and don't require client certs. It can help 
greatly with IE. Sometimes IE goes a little funny and renegotiates sessions all 
the time going from non-client cert to client cert areas.


Regards
Matt


- Original Message 
From: Jan Stian Gabrielli [EMAIL PROTECTED]
To: modssl-users@modssl.org
Sent: Thursday, September 25, 2008 9:37:00 AM
Subject: Re: Can i use CA signed cert to create client authentication 
certificates ?

Thank you very much Matt .
That solved it :).

I now have Client Certificate Authentication working with a CA signed 
certificate and a Self Signed CA which in turn signs client certs.

If i can only ask for a bit more advice regarding this setup ?.
Although I think this problem might be Firefox specific I'm hoping for some 
advice here. 

Internet Explorer handles the client certificates fine, prompts me to select 
certificate on connection to the site and basically just works after that..

But when Firefox is set to Ask me every time instead of auto select client 
certificate I keep getting the select certificate pop up several(multiple) 
times per page request/load from the SSL secured Apache server.
There is only one certificate in the select from dialog, but it keeps prompting 
me and I can see it loading one and one item(image) on the website.
If i switch to Auto select certificate it works. But it would be nice not 
having the browser present the certificate without it being the users choice. 
And honestly, choosing it once per session per site should be sufficient

I should probably mention that the page served up is behind a mod_proxy module. 
But this content should not differ for Firefox, and certificate selection. Or 
does the mod_ssl module prompt for a client certificate for each item loaded ?

I have googled this but can't find any good answers.
Some say it is because of image objects loading. but why. 

Best regards

Jan Stian Gabrielli

Original Message ---
Hi,

Basically...

SSLCACertificateFile SelfSignedCA Root Cert (public part)
SSLVerifyClient require or optional
SSLVerifyDepth 1 (default)

and have the setup from the Thwate cert as per normal for the server cert.

Regards
Matt

- Original Message 
From: Jan Stian Gabrielli [EMAIL PROTECTED]
To: modssl-users@modssl.org
Sent: Tuesday, September 23, 2008 1:39:16 PM
Subject: Re: Can i use CA signed cert to create client authentication 
certificates ?

Ok. This seems like a viable solution.
Ie.
I use an approved CA signed cert to verify the site auhtentisity, and i use a 
selfsigned CA root for client certificates.

Can you point me in a direction of how i make this work in apache ?.
I already have a setup with a Selfsigned CA working for client certificates.

Createed SelfSignedCA
|--Create and Sign Apache Cert from SelfSigned CA
|--Create and Sign Client Cert from SelfSigned CA

How do I incorporate this with a CA (thawte) signed webserver certificate ?.

Best regards

Wizkidnono

Original Message ---
Sounds like your trying to use the thawte apache cert to sign your client 
certs? The thawte cert won't have the right attributes to sign a client cert 
and then try to use it.

You could use your CA for client certs and Thawte for the server cert.

Regards
Matt



- Original Message 
From: Jan Stian Gabrielli [EMAIL PROTECTED]
To: modssl-users@modssl.org
Sent: Monday, September 22, 2008 7:54:37 PM
Subject: Can i use CA signed cert to create client authentication certificates ?

I am trying to set up apache with mod_ssl , and I have it working with a
Self Signed CA.
But i can not get it to work with a cert created by thawte.com.

Does anyone know if it is possible to do this with a crt signed by a third
party where one does not have access to their root ca key ?..

Ie.

I have generated a : apache_server.key made a apache_server..csr and sent
this for signing by thawte.com
Recived a apache_server.crt

Created a client.key and a client.csr
Signed it with my apache_server.key and apache_server.crt

Converted the client.key,crt to a pkcs12 file and imported this into my
browser but i can not make things work.

SSL works fine on the server on pages that does not require SSL client auth.

A I stated earlier, IT works when I create and self sign a CA, but I cant
make it work when I use

Re: Can i use CA signed cert to create client authentication certificates ?

[Jan Stian Gabrielli]

Thank you very much Matt .
That solved it :).

I now have Client Certificate Authentication working with a CA signed 
certificate and a Self Signed CA which in turn signs client certs.

If i can only ask for a bit more advice regarding this setup ?.
Although I think this problem might be Firefox specific I'm hoping for some 
advice here. 

Internet Explorer handles the client certificates fine, prompts me to select 
certificate on connection to the site and basically just works after that..

But when Firefox is set to Ask me every time instead of auto select client 
certificate I keep getting the select certificate pop up several(multiple) 
times per page request/load from the SSL secured Apache server.
There is only one certificate in the select from dialog, but it keeps prompting 
me and I can see it loading one and one item(image) on the website.
If i switch to Auto select certificate it works. But it would be nice not 
having the browser present the certificate without it being the users choice. 
And honestly, choosing it once per session per site should be sufficient
 
I should probably mention that the page served up is behind a mod_proxy module. 
But this content should not differ for Firefox, and certificate selection. Or 
does the mod_ssl module prompt for a client certificate for each item loaded ?

I have googled this but can't find any good answers.
Some say it is because of image objects loading. but why. 
 
Best regards

Jan Stian Gabrielli

Original Message ---
Hi,

Basically...

SSLCACertificateFile SelfSignedCA Root Cert (public part)
SSLVerifyClient require or optional
SSLVerifyDepth 1 (default)

and have the setup from the Thwate cert as per normal for the server cert.

Regards
Matt

- Original Message 
From: Jan Stian Gabrielli [EMAIL PROTECTED]
To: modssl-users@modssl.org
Sent: Tuesday, September 23, 2008 1:39:16 PM
Subject: Re: Can i use CA signed cert to create client authentication 
certificates ?

Ok. This seems like a viable solution.
Ie.
I use an approved CA signed cert to verify the site auhtentisity, and i use a 
selfsigned CA root for client certificates.

Can you point me in a direction of how i make this work in apache ?.
I already have a setup with a Selfsigned CA working for client certificates.

Createed SelfSignedCA
|--Create and Sign Apache Cert from SelfSigned CA
|--Create and Sign Client Cert from SelfSigned CA

How do I incorporate this with a CA (thawte) signed webserver certificate ?.

Best regards

Wizkidnono

Original Message ---
Sounds like your trying to use the thawte apache cert to sign your client 
certs? The thawte cert won't have the right attributes to sign a client cert 
and then try to use it.

You could use your CA for client certs and Thawte for the server cert.

Regards
Matt



- Original Message 
From: Jan Stian Gabrielli [EMAIL PROTECTED]
To: modssl-users@modssl.org
Sent: Monday, September 22, 2008 7:54:37 PM
Subject: Can i use CA signed cert to create client authentication certificates ?

I am trying to set up apache with mod_ssl , and I have it working with a
Self Signed CA.
But i can not get it to work with a cert created by thawte.com.

Does anyone know if it is possible to do this with a crt signed by a third
party where one does not have access to their root ca key ?..

Ie.

I have generated a : apache_server.key made a apache_server..csr and sent
this for signing by thawte.com
Recived a apache_server.crt

Created a client.key and a client.csr
Signed it with my apache_server.key and apache_server.crt

Converted the client.key,crt to a pkcs12 file and imported this into my
browser but i can not make things work.

SSL works fine on the server on pages that does not require SSL client auth.

A I stated earlier, IT works when I create and self sign a CA, but I cant
make it work when I use a 3rd party CA and only have apache_server.key,
apache_server.crt , thawte root cert.

Best regards

Wizkidnono
–œ…â'µêßiÇ­ ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à 
.+-š‡l²[¬z»¡Û,–Šà ëh™«^t¸¬´Æ§j«™¨è­Ú¢j²Éh®


  
__
Apache Interface to OpenSSL (mod_ssl)  www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
–œ…â'µêßiÇ­ 
ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à.+-š‡l²[¬z»¡Û,–Šàëh™«^t¸¬´Æ§j«™¨è­Ú¢j²Éh®


  
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Can i use CA signed cert to create client authentication certificates ?

[Jan Stian Gabrielli]

Ok. This seems like a viable solution.
Ie.
I use an approved CA signed cert to verify the site auhtentisity, and i use a 
selfsigned CA root for client certificates.

Can you point me in a direction of how i make this work in apache ?.
I already have a setup with a Selfsigned CA working for client certificates.

Createed SelfSignedCA
|--Create and Sign Apache Cert from SelfSigned CA
|--Create and Sign Client Cert from SelfSigned CA

How do I incorporate this with a CA (thawte) signed webserver certificate ?.

Best regards

Wizkidnono

Original Message ---
Sounds like your trying to use the thawte apache cert to sign your client 
certs? The thawte cert won't have the right attributes to sign a client cert 
and then try to use it.

You could use your CA for client certs and Thawte for the server cert.

Regards
Matt



- Original Message 
From: Jan Stian Gabrielli [EMAIL PROTECTED]
To: modssl-users@modssl.org
Sent: Monday, September 22, 2008 7:54:37 PM
Subject: Can i use CA signed cert to create client authentication certificates ?

I am trying to set up apache with mod_ssl , and I have it working with a
Self Signed CA.
But i can not get it to work with a cert created by thawte.com.

Does anyone know if it is possible to do this with a crt signed by a third
party where one does not have access to their root ca key ?..

Ie.

I have generated a : apache_server.key made a apache_server..csr and sent
this for signing by thawte.com
Recived a apache_server.crt

Created a client.key and a client.csr
Signed it with my apache_server.key and apache_server.crt

Converted the client.key,crt to a pkcs12 file and imported this into my
browser but i can not make things work.

SSL works fine on the server on pages that does not require SSL client auth.

A I stated earlier, IT works when I create and self sign a CA, but I cant
make it work when I use a 3rd party CA and only have apache_server.key,
apache_server.crt , thawte root cert.

Best regards

Wizkidnono
–œ…â'µêßiÇ­ 
ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à.+-š‡l²[¬z»¡Û,–Šàëh™«^t¸¬´Æ§j«™¨è­Ú¢j²Éh®


  
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
'���iǭ��^�$���l�\0�j��h�,z+�Ƣ�)�.+-��l�[�z���,����h��^t���Ƨj���j��h�

Can i use CA signed cert to create client authentication certificates ?

[Jan Stian Gabrielli]

I am trying to set up apache with mod_ssl , and I have it working with a
Self Signed CA.
But i can not get it to work with a cert created by thawte.com.

Does anyone know if it is possible to do this with a crt signed by a third
party where one does not have access to their root ca key ?.

Ie.

I have generated a : apache_server.key made a apache_server.csr and sent
this for signing by thawte.com
Recived a apache_server.crt

Created a client.key and a client.csr
Signed it with my apache_server.key and apache_server.crt

Converted the client.key,crt to a pkcs12 file and imported this into my
browser but i can not make things work.

SSL works fine on the server on pages that does not require SSL client auth.

A I stated earlier, IT works when I create and self sign a CA, but I cant
make it work when I use a 3rd party CA and only have apache_server.key,
apache_server.crt , thawte root cert.

Best regards

Wizkidnono
–œ…â'µêßiÇ­ ê^$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à.+-š‡l²[¬z»¡Û,–Šàëh™«^t¸¬´Æ§j«™¨è­Ú¢j²Éh®

Re: Can i use CA signed cert to create client authentication certificates ?

[Matt Stevenson]

Sounds like your trying to use the thawte apache cert to sign your client 
certs? The thawte cert won't have the right attributes to sign a client cert 
and then try to use it.

You could use your CA for client certs and Thawte for the server cert.

Regards
Matt



- Original Message 
From: Jan Stian Gabrielli [EMAIL PROTECTED]
To: modssl-users@modssl.org
Sent: Monday, September 22, 2008 7:54:37 PM
Subject: Can i use CA signed cert to create client authentication certificates ?

I am trying to set up apache with mod_ssl , and I have it working with a
Self Signed CA.
But i can not get it to work with a cert created by thawte.com.

Does anyone know if it is possible to do this with a crt signed by a third
party where one does not have access to their root ca key ?.

Ie.

I have generated a : apache_server.key made a apache_server.csr and sent
this for signing by thawte.com
Recived a apache_server.crt

Created a client.key and a client.csr
Signed it with my apache_server.key and apache_server.crt

Converted the client.key,crt to a pkcs12 file and imported this into my
browser but i can not make things work.

SSL works fine on the server on pages that does not require SSL client auth.

A I stated earlier, IT works when I create and self sign a CA, but I cant
make it work when I use a 3rd party CA and only have apache_server.key,
apache_server.crt , thawte root cert.

Best regards

Wizkidnono
–œ…â'µêßiÇ­ 
ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à.+-š‡l²[¬z»¡Û,–Šàëh™«^t¸¬´Æ§j«™¨è­Ú¢j²Éh®



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Problems with CA-Certifcates

[Keller Kind]

Hello,
i have got 2 problems with my Apache using mod_ssl and authentification
with client-certificates.

1. When the Apache is running and i copy a new pem-encoded
CA-Certificate in the specified directory (SSLCACertifcatePath) and
create the symbolic hash-link, no client is able to connect with the
website with his Client-Certificate issued by the copied CA until i
restart the Server. Is this a Bug? Or is there any way to actualise the
CA-Certificates without a restart?

2. The Number of CA-Certificates seems to be limited at ~250. When i use
too many CA-Certificates in the Directory (SSLCACertifcatePath) the
SSL-Message from the Server to the Client is malformed and no Client can
connect. Is this also a Bug?

Dont ask me, why i need more than 250 CA-Certificates. Its for a
Masterthesis.

_
Haben Spinnen Ohren? Finden Sie es heraus – mit dem MSN Suche Superquiz via  
http://www.msn-superquiz.de  Jetzt mitmachen und gewinnen!


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

RE: Problems with CA-Certifcates

[Fought, Richard]

1. I believe the server reads the CA cert into memory at startup for a
couple of reasons: to prevent unnecessary disk access, and probably as a
security measure as well.  If your cert is password protected, you might
want an admin to type it in and startup is the perfect time to do it.

2. Maybe it is a # of files limitation?  If I'm not mistaken, you can
have more than one certificate in a PEM file.  Maybe try to combine
them.

Rich
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

RE: Problems with CA-Certifcates

[Fought, Richard]

Looking at the SSL 3.0 spec at
http://wp.netscape.com/eng/ssl3/draft302.txt, there appears to be a size
limit for the list of CA distinguished names ..

 struct {
 CertificateType certificate_types1..2^8-1;
 DistinguishedName certificate_authorities3..2^16-1;
 } CertificateRequest;

If I interpret the spec correctly, this means 3 - 65535 bytes of data
available for the list of DNs (someone please correct me if I am wrong).

Perhaps you are hitting this limit.

Rich


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Keller Kind
Sent: Thursday, May 17, 2007 10:30 AM
To: modssl-users@modssl.org
Subject: Re: Problems with CA-Certifcates

2. Yes i know, that i can have more than one certificate in a PEM-file.
That is used for the SSLCACertificateFile Option. But this didnt solve
the problem.
There is no difference between having more than 250 single certificate
files or one
file with 250 certificates.
In the SSL-Handshake the Server sends to the Client, which CAs he
accepts.
This Massage seems to be malformed when there are too many CAs.
Any Ideas...?


Fought, Richard schrieb:
1. I believe the server reads the CA cert into memory at startup for a
couple of reasons: to prevent unnecessary disk access, and probably as
a
security measure as well.  If your cert is password protected, you
might
want an admin to type it in and startup is the perfect time to do it.

2. Maybe it is a # of files limitation?  If I'm not mistaken, you can
have more than one certificate in a PEM file.  Maybe try to combine
them.

Rich
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]





_
Sie suchen E-Mails, Dokumente oder Fotos? Die neue MSN Suche Toolbar mit

Windows-Desktopsuche liefert in sekundenschnelle Ergebnisse. Jetzt neu! 
http://desktop.msn.de/ Jetzt gratis downloaden!

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

updating ca-bundle.crt

[Joe Orton]

There was some discussion on modssl-users a while back on this topic; we
had some concerns about extracting ca-bundle.crt directly from the
Mozilla CA list sources.  But after discussing this with Frank Hecker 
and some others there is agreement that there are no licensing issues 
here really.

So, attached is a Perl script which regenerates ca-bundle.crt directly
from the Mozilla certdata.txt: Ralf, feel free to include this in
mod_ssl or just update the mod_ssl ca-bundle.crt using it ;)

joe



#!/usr/bin/perl -w
#
# Used to regenerate ca-bundle.crt from the Mozilla certdata.txt.
# Run as ./mkcabundle.pl  ca-bundle.crt
#

my $cvsroot = ':pserver:[EMAIL PROTECTED]:/cvsroot';
my $certdata = 'mozilla/security/nss/lib/ckfw/builtins/certdata.txt';

open(IN, cvs -d $cvsroot co -p $certdata|)
|| die could not check out certdata.txt;

my $incert = 0;

printEOH;
# This is a bundle of X.509 certificates of public Certificate
# Authorities.  It was generated from the Mozilla root CA list.
#
# Source: $certdata
#
EOH

while (IN) {
if (/^CKA_VALUE MULTILINE_OCTAL/) {
$incert = 1;
open(OUT, |openssl x509 -text -inform DER -fingerprint)
|| die could not pipe to openssl x509;
} elsif (/^END/  $incert) {
close(OUT);
$incert = 0;
print \n\n;
} elsif ($incert) {
my @bs = split(/\\/);
foreach my $b (@bs) {
chomp $b;
printf(OUT %c, oct($b)) unless $b eq '';
}
} elsif (/^CVS_ID.*Revision: ([^ ]*).*/) {
print # Generated from certdata.txt RCS revision $1\n#\n;
}
}

Again: License of ca-bundle.crt

[AIDA Shinra]

Hello,

I am packaging sole ca-bundle.crt for Fink.
http://sourceforge.net/tracker/index.php?func=detailaid=928157group_id=17203atid=414256

Fink package system has License field. I must fill it. What is the
license of sole ca-bundle.crt? Mod_ssl license? Or nothing like
license?

I sent before but no response except vacation. Before clarifying it
I can't take any action.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Again: License of ca-bundle.crt

[Joe Orton]

On Thu, Jun 17, 2004 at 05:09:31AM +0900, AIDA Shinra wrote:
 Hello,
 
 I am packaging sole ca-bundle.crt for Fink.
 http://sourceforge.net/tracker/index.php?func=detailaid=928157group_id=17203atid=414256
 
 Fink package system has License field. I must fill it. What is the
 license of sole ca-bundle.crt? Mod_ssl license? Or nothing like
 license?

It's a tricky legal question, I think.

The original source of the ca-bundle.crt was a database shipped with the
Netscape browser.  It's possible to derive a new ca-bundle.crt from the
Mozilla source code, which is what Debian do in their ca-certificates
package.  Debian say that the resultant CA certificate bundle is
licensed under the MPL, as its source in Mozilla is.

But can a database be copyrighted?  Can a database made up of copies of
necessarily-public CA certificates published by third parties be
copyrighted?  It is somewhat lacking in originality, which is one of
the requirements for US copyright law to apply, at least.

You may be better of asking a lawyer, unfortunately!

joe
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

License of ca-bundle.crt

[AIDA Shinra]

Hello,

I am packaging sole ca-bundle.crt for Fink.
http://sourceforge.net/tracker/index.php?func=detailaid=928157group_id=17203atid=414256

Fink package system has License field. I must fill it. What is the
license of sole ca-bundle.crt? Mod_ssl license? Or nothing like
license?
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

License of ca-bundle.crt

[a . moon]

I am away on paternity leave for the next few days.  
Please contact OLSU if urgent, otherwise i will get back 
to you as soon as possible on my return.


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Verisign CA cert problem

[Bill MacAllister]

Hello,
I am having problems with a brand new Verisign 128 bit certificate that has 
just be purchased.  I have installed the certificate and the intermediate 
CA cert on an Apache 1.3.31/mod_ssl 2.8.17/openssl 0.9.7d instance.

What I am seeing is the Netscape and Mozilla connect to the site just fine. 
When I connect to the site with IE 6 the security window pops up telling be 
that the certificate has either expired or is not valid yet.  When I look 
at the certificate the intermediate CA cert that IE is using is the expired 
cert that was installed with IE.  I tried removing the old intermediate CA 
cert from IE altogether and it still will not load the intermediate CA cert 
from my server.

I am not really sure what to try at this point.   Oh, yes, Verisign support 
has been pretty much useless.

Help suggestions will be greatly appreciated.
Bill
+---
| Bill MacAllister
| 14219 Auburn Road
| Grass Valley, CA 95949
| 530-272-8555
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Verisign CA cert problem

[a . moon]

I am away on paternity leave for the next few days.  
Please contact OLSU if urgent, otherwise i will get back 
to you as soon as possible on my return.


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Verisign CA cert problem

[Christopher McCrory]

On Wed, 2004-05-19 at 09:46, Bill MacAllister wrote:
 Hello,
 
 I am having problems with a brand new Verisign 128 bit certificate that has 
 just be purchased.  I have installed the certificate and the intermediate 
 CA cert on an Apache 1.3.31/mod_ssl 2.8.17/openssl 0.9.7d instance.
 

Did you get a new intermediate cert (intermediate.crt) from Verisign
also?  This also goes in the apache config. directions somewhere on
verisigns site.  


 What I am seeing is the Netscape and Mozilla connect to the site just fine. 
 When I connect to the site with IE 6 the security window pops up telling be 
 that the certificate has either expired or is not valid yet.  When I look 
 at the certificate the intermediate CA cert that IE is using is the expired 
 cert that was installed with IE.  I tried removing the old intermediate CA 
 cert from IE altogether and it still will not load the intermediate CA cert 
 from my server.
 
 I am not really sure what to try at this point.   Oh, yes, Verisign support 
 has been pretty much useless.
 
 Help suggestions will be greatly appreciated.
 
 Bill
 
 +---
 | Bill MacAllister
 | 14219 Auburn Road
 | Grass Valley, CA 95949
 | 530-272-8555
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
-- 
Christopher McCrory
 The guy that keeps the servers running
 
[EMAIL PROTECTED]
 http://www.pricegrabber.com
 
Let's face it, there's no Hollow Earth, no robots, and
no 'mute rays.' And even if there were, waxed paper is
no defense.  I tried it.  Only tinfoil works.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Verisign CA cert problem

[Bill MacAllister]

--On Wednesday, May 19, 2004 10:50:44 AM -0700 Christopher McCrory 
[EMAIL PROTECTED] wrote:

On Wed, 2004-05-19 at 09:46, Bill MacAllister wrote:
Hello,
I am having problems with a brand new Verisign 128 bit certificate that
has  just be purchased.  I have installed the certificate and the
intermediate  CA cert on an Apache 1.3.31/mod_ssl 2.8.17/openssl 0.9.7d
instance.
Did you get a new intermediate cert (intermediate.crt) from Verisign
also?  This also goes in the apache config. directions somewhere on
verisigns site.
Yes.  The only certificate that has ever been on my servers is the new CA 
cert.

Actually there are multiple references on the Versign site:
http://www.verisign.com/support/install/apache/v00Mod.html#global
http://www.verisign.com/support/site/caReplacement.html
Of course, while both describe the same issue they suggest slightly 
different Apache directives.  Respectively the two suggestions are:

 SSLCertificateFile /etc/ssl/crt/public.crt
 SSLCertificateKeyFile /etc/ssl/crt/private.key
 SSLCertificateChainFile /etc/ssl/crt/intermediate.crt
and
 SSLCACertificateFile /etc/ssl/crt/intermediate.crt
I have tried both and neither method works for IE.
Bill

What I am seeing is the Netscape and Mozilla connect to the site just
fine.  When I connect to the site with IE 6 the security window pops up
telling be  that the certificate has either expired or is not valid yet.
When I look  at the certificate the intermediate CA cert that IE is
using is the expired  cert that was installed with IE.  I tried removing
the old intermediate CA  cert from IE altogether and it still will not
load the intermediate CA cert  from my server.
I am not really sure what to try at this point.   Oh, yes, Verisign
support  has been pretty much useless.
Help suggestions will be greatly appreciated.
Bill
+---
| Bill MacAllister
| 14219 Auburn Road
| Grass Valley, CA 95949
| 530-272-8555
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
--
Christopher McCrory
 The guy that keeps the servers running
[EMAIL PROTECTED]
 http://www.pricegrabber.com
Let's face it, there's no Hollow Earth, no robots, and
no 'mute rays.' And even if there were, waxed paper is
no defense.  I tried it.  Only tinfoil works.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

+---
| Bill MacAllister
| 14219 Auburn Road
| Grass Valley, CA 95949
| 530-272-8555
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Creating my own CA

[support]

I've got OpenSA (Apache w/openssl+modssl) running on a Windows platform
and am trying to create my own CA. I'm able to create a private key and
make a cert for that CA but can't use my CA to sign the CSR.
I see from the modssl docs the step by step but then the last step gets
to running the script sign.sh and, well, obviously Windows has some
problems running a .sh file. Every place I see on line mentions that
there's some strange requirements of the openssl ca command. Does
anyone know of some other approach to sign the CSR.
I've been messing with CygWin and Mac OSx and a few other things but it
seems like an awful lot of trouble to go through if I have to actually
'build' a *nix server just to sign my server cert.
Any help is always appreciated.

Kevin Ericson
Kinetic Technologies, Inc.


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Expired CA Certificate

[Florian Yanez]

We recently had a problem with our Verisign Intermediate CA Certificate.
This link (https://www.verisign.com/support/site/caReplacement.html) points
to how they said to fix the problem.  Your case may be similar.

Florian Yanez
Manager of Technical Systems
Helzberg Diamond Shops, Inc.
[EMAIL PROTECTED]
816-627-1253


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Rory Chisholm
Sent: Tuesday, February 10, 2004 7:14 AM
To: [EMAIL PROTECTED]
Subject: Expired CA Certificate


This isn't totally modssl related but maybe someone knows the answer.

I'm using OpenSCEP with openssl. My CA Certificate has just expired.
Now since our VPN sees very little use (only one important user) I'd like
to re-issue
the x509 CA certificate with the same key but different attributes (a later
expiry date).

Can this be done without re-generating every certificate ever issued from
scratch ? The
real question here is do x509 certificates that have been signed by a CA
certificate store a
hash of the CA certificate based solely on the CA's key or based on the
full CA certificate including
it's attributes ?

Has anyone had any experience doing this ?

Thanks for any help,

Rory Chisholm

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re[2]: OT: cheap CA certificates

[James Treworgy]

Thawte is pretty cheap. $127 bucks through their ISP channel (anyone
can sign up) for a regular web cert, I am not sure you can do much better.

If it's not worth $127 a year, then I assume it's not for profit, e.g.
for internal use only or for a small number of users. In that case,
just use self-signed certificates. They're no less secure, they just
pop up a warning. Advise your users to add them to their root store
the first time they connect to your site and even that won't happen
anymore. We do this for all our internal secured sites.

-- Jamie

Monday, November 17, 2003, 3:05:23 PM, you wrote:

GBE Hello Eric,

GBE Eric Wood wrote:
 Where can I get cheap/reliable certs for a Apache that IE 5.5+ clients will
 authorize against?  Thawte and Verisign have outpriced themselves.

GBE That depends on your definition of the terms cheap and reliable.

GBE But we offer client and server certs
GBE (low level client certs are still free)

GBE Bye

GBE Goetz




-- 
Best regards,
 Jamesmailto:[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Re[2]: OT: cheap CA certificates

[kwills]

Here is one comparison of different SSL certificate choices and their
prices:

http://www.whichssl.com/ssl-certificate-comparison.html


--Kevin

-Original Message-
From: James Treworgy [mailto:[EMAIL PROTECTED]
Sent: Monday, November 17, 2003 2:12 PM
To: Goetz Babin-Ebell
Cc: [EMAIL PROTECTED]
Subject: Re[2]: OT: cheap CA certificates


Thawte is pretty cheap. $127 bucks through their ISP channel (anyone
can sign up) for a regular web cert, I am not sure you can do much better.

If it's not worth $127 a year, then I assume it's not for profit, e.g.
for internal use only or for a small number of users. In that case,
just use self-signed certificates. They're no less secure, they just
pop up a warning. Advise your users to add them to their root store
the first time they connect to your site and even that won't happen
anymore. We do this for all our internal secured sites.

-- Jamie

Monday, November 17, 2003, 3:05:23 PM, you wrote:

GBE Hello Eric,

GBE Eric Wood wrote:
 Where can I get cheap/reliable certs for a Apache that IE 5.5+ clients
will
 authorize against?  Thawte and Verisign have outpriced themselves.

GBE That depends on your definition of the terms cheap and reliable.

GBE But we offer client and server certs
GBE (low level client certs are still free)

GBE Bye

GBE Goetz




-- 
Best regards,
 Jamesmailto:[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

OT: cheap CA certificates

[Eric Wood]

Where can I get cheap/reliable certs for a Apache that IE 5.5+ clients will
authorize against?  Thawte and Verisign have outpriced themselves.

-Eric Wood

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: OT: cheap CA certificates

[Peter Burkholder]

http://www.geotrust.com/equifax/
On Mon, Nov 17, 2003 at 02:33:53PM -0500, Eric Wood wrote:
 From: Eric Wood [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Subject: OT: cheap CA certificates
 Date: Mon, 17 Nov 2003 14:33:53 -0500
 Reply-To: [EMAIL PROTECTED]
 
 Where can I get cheap/reliable certs for a Apache that IE 5.5+ clients will
 authorize against?  Thawte and Verisign have outpriced themselves.
 
 -Eric Wood
 
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
--
Peter Burkholder, System Administrator
Digital Library for Earth System Education (DLESE® -- http://www.dlese.org)
[EMAIL PROTECTED]
DLESE Program Center (DPC)   ~~~  ~~     __o
UCAR/DPC, P.O. Box 3000   Ph) +1-303-497-2663  ~~~   ~~_`\,_
Boulder, CO 80307-3000Fx) +1 303-497-8336  ~~~    (*)/ (*)
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Can I resign an existing CA cert without breaking anything?

[Jason Haar]

...a bit naive I know, but I'd rather be safe than regret it a week later ;-)

We have an existing internal CA designed around a OpenSSL 0.9.5 signed CA
(obviously we're using a newer release of OpenSSL now - but the CA cert was
created under 0.9.5).

It's all working well - until now. We have found that we cannot sign certs
created by Cisco IOS - well it can - but then the Cisco refuses to use it.
Upon talking to Cisco, they say it's because our CA has a Serial number of
0 - which is illegal(!?). They said this was a known bug in OpenSSL that
was fixed in a later release...

Anyway, if all that is true, I'd like to simply re-create the CA cert under
a newer OpenSSL release - using the existing private key and serial number 1
- which for some reason is actually available (the first signed cert starts
at 2 - don't know why!). 

If I do that (i.e. openssl req -key existing.key -x509 -new ...), will
it break the existing infrastructure? I've gone as far as creating the new
CA public key/root cert, and diff'ing it against the old signed cert just
shows different serial number, dates and some signature hexes look
different. I mean, the public key created from the private key looks
identical to the old public key, so existing (old) HTTPS web servers that
only accept connections from client certs signed by our (old) CA should
happily accept client certs signed by our (new) CA?  What about CRL? We make
extensive use of CRL to ensure only valid certs are accepted, so I'm worried
about that breaking. 

I pretty sure that is doable - I'm just worried there are know bugs/issues
around this that may sting me a week/month later...

Thanks!


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

~ Error Help - CN in certificate not server name or identical to CA!? ~

[Inderjit S Gabrie]

Hi
all
I am new to the SSL environment, getting a following error, can someone
tell me whats going on and how i can resolve thisthsnka in
advance...(error output below...)

[Tue Jul 2 11:54:00 2002] [error] mod_ssl: SSL handshake failed (server
name here:443, client 130.209.164.170) (OpenSSL library error follows)

[Tue Jul 2 11:54:00 2002] [error] OpenSSL: error:14094412:SSL
routines:SSL3_REA 
D_BYTES:sslv3 alert bad certificate [Hint: Subject CN in certificate not
server 
name or identical to CA!?]


*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~ 

Inderjit
S Gabrie 
University of Glasgow, Department
of MIS, 
Gilbert
Scott Building, Glasgow G12 8QQ 
Tel: 0141-330-3837 Fax: 0141-330-4953 
E-mail: [EMAIL PROTECTED] 
Web Url: http://www.mis.gla.ac.uk 
*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
 The future is here, it's just not evenly distributed yet.

RE: ~ Error Help - CN in certificate not server name or identical to CA!? ~

[Boyle Owen]

Please post in plain-text... - 

Your error: [Hint: Subject CN in certificate not server name or
identical to CA!?]

means: the Common Name in the certificate is not the same as the
ServerName in the URL - e.g. the certificate belongs to www.abcdef.com
but you are using it in a server whose URL is www.uvwxyz.com. This makes
the browser think your site is impersonating another site and so throws
a warning.

Where did you get the cert? Is it self-signed? If so, make a new one
with the correct server name.

Rgds,

Owen Boyle

PS  How did you remove the Reply-To header which normally directs the
replies back to the list? This is supposed to be a public mailing list,
not your private resource. You are supposed to share the replies with
others and allow them to go in the archive. Anyway, I cahnged it back...


-Original Message-
From: Inderjit S Gabrie [mailto:[EMAIL PROTECTED]]
Sent: Mittwoch, 29. Januar 2003 10:05
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: ~ Error Help - CN in certificate not server name or identical
to CA!? ~




Hi all

I am new to the SSL environment, getting a following error, can someone
tell me whats going on and how i can resolve thisthsnka in
advance...(error output below...)



[Tue Jul 2 11:54:00 2002] [error] mod_ssl: SSL handshake failed (server
name here:443, client 130.209.164.170) (OpenSSL library error follows) 
[Tue Jul 2 11:54:00 2002] [error] OpenSSL: error:14094412:SSL
routines:SSL3_REA 
D_BYTES:sslv3 alert bad certificate [Hint: Subject CN in certificate not
server 
name or identical to CA!?]




*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~ 
Inderjit S Gabrie 
University of Glasgow, Department of MIS, 
Gilbert Scott Building, Glasgow G12 8QQ 
Tel: 0141-330-3837 Fax: 0141-330-4953 
E-mail: [EMAIL PROTECTED] 
Web Url: http://www.mis.gla.ac.uk 
*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
  The future is here, it's just not evenly distributed yet.

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Problems with creating own CA

[Sasa STUPAR]

Well, the thing is that just adding ...-config openssl.cnf... was
enough. now it works.

Thanx

Long, Liesheng a écrit:
 Do .csr first, then do .crt
 
 Try the following commands, add your path if needed:
 
 1. openssl req -config openssl.cnf -new -key ca.key -out ca.csr
 2. openssl x509 -extfile openssl.conf -days 365 -signkey ca.key \
   -in ca.csr -req -out ca.crt
 
 
 -Original Message-
 From: Sasa STUPAR [mailto:[EMAIL PROTECTED]] 
 Sent: Thursday, November 28, 2002 11:50 AM
 To: [EMAIL PROTECTED]
 Subject: Re: Problems with creating own CA
 
 One thing, if I try to use directly with the command openssl req -new
 -x509 -days 365 -key ca.key -out ca.crt I get back error like before
 with also that it canot load config info.
 Any idea ?
 
 Maurizio Marini a écrit:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote:
  They are already uncommented. Here is attached my config file.
 I've:
 commonName  = Common Name (eg, your name or your
 server\'s 
 hostname)
 commonName_max  = 64
 commonName_default  = iris.dev.datalogica.com
 
 it seems u lack this:
 commonName_default  = your_fqdn
 
 - -- 
 Maurizio Marini  GSM +39-335-8259739
 Altamura: +39-080-3105228Fax +39-080-3105228
 Pesaro:  +39-0721-54277  Fax +39-0721-415055
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.0.6 (GNU/Linux)
 Comment: For info see http://www.gnupg.org
 
 iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG
 STINIYzTZ0FPIeYy3o5MKNg=
 =t8N+
 -END PGP SIGNATURE-
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
 
 
 
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
 


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Problems with creating own CA

[Sasa STUPAR]

OK, so creating a certifikate is done. How do I sign it ? I am using
windows but I have read in the documents to use sign.sh in mod-perl. Ok
but I am not having Linux anywhere near me. So what can I do ?

Sasa STUPAR wrote:
 Well, the thing is that just adding ...-config openssl.cnf... was
 enough. now it works.
 
 Thanx
 
 Long, Liesheng a écrit:
 Do .csr first, then do .crt
 
 Try the following commands, add your path if needed:
 
 1. openssl req -config openssl.cnf -new -key ca.key -out ca.csr
 2. openssl x509 -extfile openssl.conf -days 365 -signkey ca.key \
  -in ca.csr -req -out ca.crt
 
 
 -Original Message-
 From: Sasa STUPAR [mailto:[EMAIL PROTECTED]] 
 Sent: Thursday, November 28, 2002 11:50 AM
 To: [EMAIL PROTECTED]
 Subject: Re: Problems with creating own CA
 
 One thing, if I try to use directly with the command openssl req -new
 -x509 -days 365 -key ca.key -out ca.crt I get back error like before
 with also that it canot load config info.
 Any idea ?
 
 Maurizio Marini a écrit:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote:
  They are already uncommented. Here is attached my config file.
 I've:
 commonName  = Common Name (eg, your name or your
 server\'s 
 hostname)
 commonName_max  = 64
 commonName_default  = iris.dev.datalogica.com
 
 it seems u lack this:
 commonName_default  = your_fqdn
 
 - -- 
 Maurizio Marini GSM +39-335-8259739
 Altamura: +39-080-3105228   Fax +39-080-3105228
 Pesaro: +39-0721-54277  Fax +39-0721-415055
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.0.6 (GNU/Linux)
 Comment: For info see http://www.gnupg.org
 
 iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG
 STINIYzTZ0FPIeYy3o5MKNg=
 =t8N+
 -END PGP SIGNATURE-
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
 
 
 
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
 
 
 
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
 


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Problems with creating own CA

[Maurizio Marini]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Tuesday 03 December 2002 03:22 pm, Sasa STUPAR wrote:
 OK, so creating a certifikate is done. How do I sign it ? I am using
 windows but I have read in the documents to use sign.sh in mod-perl. Ok
 but I am not having Linux anywhere near me. So what can I do ?
 

try a self-signed
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout server.key -out server.crt


- -- 
Maurizio Marini 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE97NB24Q/49nIJTlwRAu9MAJwP7waOwN/J2dYSzL4L9RkHNjpRrwCfTI65
M0p49MjvotSa30mCfOFLL30=
=P32L
-END PGP SIGNATURE-
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Problems with creating own CA

[Sasa STUPAR]

Ok I have made a server certificate and a client certificate. I have
configured apache and ssl.conf with everything necesary BUT when I try
to conect to myserver:443 it tells me connection has been refused.
Any idea ?

Maurizio Marini wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 On Tuesday 03 December 2002 03:22 pm, Sasa STUPAR wrote:
  OK, so creating a certifikate is done. How do I sign it ? I am using
  windows but I have read in the documents to use sign.sh in mod-perl. Ok
  but I am not having Linux anywhere near me. So what can I do ?
  
 
 try a self-signed
 openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout server.key -out 
server.crt
 
 
 - -- 
 Maurizio Marini   
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.0.6 (GNU/Linux)
 Comment: For info see http://www.gnupg.org
 
 iD8DBQE97NB24Q/49nIJTlwRAu9MAJwP7waOwN/J2dYSzL4L9RkHNjpRrwCfTI65
 M0p49MjvotSa30mCfOFLL30=
 =P32L
 -END PGP SIGNATURE-
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
 


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Problems with creating own CA

[Long, Liesheng]

Do .csr first, then do .crt

Try the following commands, add your path if needed:

1. openssl req -config openssl.cnf -new -key ca.key -out ca.csr
2. openssl x509 -extfile openssl.conf -days 365 -signkey ca.key \
-in ca.csr -req -out ca.crt


-Original Message-
From: Sasa STUPAR [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, November 28, 2002 11:50 AM
To: [EMAIL PROTECTED]
Subject: Re: Problems with creating own CA

One thing, if I try to use directly with the command openssl req -new
-x509 -days 365 -key ca.key -out ca.crt I get back error like before
with also that it canot load config info.
Any idea ?

Maurizio Marini a écrit:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote:
  They are already uncommented. Here is attached my config file.
 I've:
 commonName  = Common Name (eg, your name or your
server\'s 
 hostname)
 commonName_max  = 64
 commonName_default  = iris.dev.datalogica.com
 
 it seems u lack this:
 commonName_default  = your_fqdn
 
 - -- 
 Maurizio Marini   GSM +39-335-8259739
 Altamura: +39-080-3105228 Fax +39-080-3105228
 Pesaro:   +39-0721-54277  Fax +39-0721-415055
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.0.6 (GNU/Linux)
 Comment: For info see http://www.gnupg.org
 
 iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG
 STINIYzTZ0FPIeYy3o5MKNg=
 =t8N+
 -END PGP SIGNATURE-
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
 


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Problems with creating own CA

[Sasa STUPAR]

Hi !

I am trying to create my own CA. The creation of a key file is fine.
When I try to create a CSR file I get back an error unable to find a
'distinguished_name' in config.
I am runing on winXP with openssl 0.9.6g. I wanted to make a server
certificate for my Apache.

Please help me !

Sasa

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Problems with creating own CA

[Maurizio Marini]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thursday 28 November 2002 03:45 pm, Sasa STUPAR wrote:
unable to find a 'distinguished_name' in config.

in your openssl.cnf  you should uncomment lines regarding distinguished_name;
otherwise re-post with it attached

- -- 
Maurizio Marini
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE95i6C4Q/49nIJTlwRArC3AJ9L+sCspWbSYGJr5QNIdoUxw+XTjACfVK6Q
o2atqXF6nX4goCsODTV7hmo=
=ldnj
-END PGP SIGNATURE-
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Problems with creating own CA

[Sasa STUPAR]

They are already uncommented. Here is attached my config file.

Maurizio Marini a écrit:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 On Thursday 28 November 2002 03:45 pm, Sasa STUPAR wrote:
 unable to find a 'distinguished_name' in config.
 
 in your openssl.cnf  you should uncomment lines regarding distinguished_name;
 otherwise re-post with it attached
 
 - -- 
 Maurizio Marini
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.0.6 (GNU/Linux)
 Comment: For info see http://www.gnupg.org
 
 iD8DBQE95i6C4Q/49nIJTlwRArC3AJ9L+sCspWbSYGJr5QNIdoUxw+XTjACfVK6Q
 o2atqXF6nX4goCsODTV7hmo=
 =ldnj
 -END PGP SIGNATURE-
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
 


#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# This definition stops the following lines choking if HOME isn't
# defined.
HOME= .
RANDFILE= $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:
#oid_file   = $ENV::HOME/.oid
oid_section = new_oids

# To use this configuration file with the -extfile option of the
# openssl x509 utility, name here the section containing the
# X.509v3 extensions to use:
# extensions= 
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6


[ ca ]
default_ca  = CA_default# The default ca section


[ CA_default ]

dir = ./demoCA  # Where everything is kept
certs   = $dir/certs# Where the issued certs are kept
crl_dir = $dir/crl  # Where the issued crl are kept
database= $dir/index.txt# database index file.
new_certs_dir   = $dir/newcerts # default place for new certs.

certificate = $dir/cacert.pem   # The CA certificate
serial  = $dir/serial   # The current serial number
crl = $dir/crl.pem  # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE= $dir/private/.rand# private random number file

x509_extensions = usr_cert  # The extentions to add to the cert

# Comment out the following two lines for the traditional
# (and highly broken) format.
name_opt= ca_default# Subject Name options
cert_opt= ca_default# Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions= crl_ext

default_days= 365   # how long to certify for
default_crl_days= 30# how long before next CRL
default_md  = md5   # which md to use.
preserve= no# keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy  = policy_match

# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName= match
organizationalUnitName  = optional
commonName  = supplied
emailAddress= optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName= optional
organizationName= optional
organizationalUnitName  = optional
commonName  = supplied
emailAddress= optional


[ req ]
default_bits= 1024
default_keyfile = privkey.pem
distinguished_name  = req_distinguished_name
attributes  = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret

# This sets a mask for permitted string types. There are several options. 
# default: PrintableString, T61String, BMPString.
# pkix   : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK: a literal

Re: Problems with creating own CA

[Maurizio Marini]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote:
 They are already uncommented. Here is attached my config file.
I've:
commonName  = Common Name (eg, your name or your server\'s 
hostname)
commonName_max  = 64
commonName_default  = iris.dev.datalogica.com

it seems u lack this:
commonName_default  = your_fqdn

- -- 
Maurizio Marini GSM +39-335-8259739
Altamura: +39-080-3105228   Fax +39-080-3105228
Pesaro: +39-0721-54277  Fax +39-0721-415055
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG
STINIYzTZ0FPIeYy3o5MKNg=
=t8N+
-END PGP SIGNATURE-
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Problems with creating own CA

[Sasa STUPAR]

Well, I have added what you've told me but still the same problem.



Maurizio Marini a écrit:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote:
  They are already uncommented. Here is attached my config file.
 I've:
 commonName  = Common Name (eg, your name or your server\'s 
 hostname)
 commonName_max  = 64
 commonName_default  = iris.dev.datalogica.com
 
 it seems u lack this:
 commonName_default  = your_fqdn
 
 - -- 
 Maurizio Marini   GSM +39-335-8259739
 Altamura: +39-080-3105228 Fax +39-080-3105228
 Pesaro:   +39-0721-54277  Fax +39-0721-415055
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.0.6 (GNU/Linux)
 Comment: For info see http://www.gnupg.org
 
 iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG
 STINIYzTZ0FPIeYy3o5MKNg=
 =t8N+
 -END PGP SIGNATURE-
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
 


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Problems with creating own CA

[Sasa STUPAR]

One thing, if I try to use directly with the command openssl req -new
-x509 -days 365 -key ca.key -out ca.crt I get back error like before
with also that it canot load config info.
Any idea ?

Maurizio Marini a écrit:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote:
  They are already uncommented. Here is attached my config file.
 I've:
 commonName  = Common Name (eg, your name or your server\'s 
 hostname)
 commonName_max  = 64
 commonName_default  = iris.dev.datalogica.com
 
 it seems u lack this:
 commonName_default  = your_fqdn
 
 - -- 
 Maurizio Marini   GSM +39-335-8259739
 Altamura: +39-080-3105228 Fax +39-080-3105228
 Pesaro:   +39-0721-54277  Fax +39-0721-415055
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.0.6 (GNU/Linux)
 Comment: For info see http://www.gnupg.org
 
 iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG
 STINIYzTZ0FPIeYy3o5MKNg=
 =t8N+
 -END PGP SIGNATURE-
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
 


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Problems with creating own CA

[Maurizio Marini]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thursday 28 November 2002 05:53 pm, Sasa STUPAR wrote:
 I have here made a printscr and save it in a word doc. Please look at
 it, maybe it will give same clue.
 in fact!
it seems that you lack openssl.conf pathname in your env vars
check your env a search for something realted to this
byez!

- -- 
Maurizio Marini GSM +39-335-8259739
Altamura: +39-080-3105228   Fax +39-080-3105228
Pesaro: +39-0721-54277  Fax +39-0721-415055
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE95lSF4Q/49nIJTlwRAnh5AJ4n0nqzTCd1dBaOjpx7KewlUyNucACfbxQe
/Z2RE3roRyop6t0s4v4iXAI=
=/YNG
-END PGP SIGNATURE-
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Problem of sign.sh ( Create CA for WebServer )

[EdwardSPL]

Hello,

My System is Redhat 7.2, Apache 1.3.22 and openssl 0.9.6b...
After I get the sign.sh from here :
http://www.modssl.org/source/cvs/exp/mod_ssl/pkg.mod_ssl/pkg.contrib/sign.sh

then run the command : sign.sh ssl.csr/server.csr ( location path is
/etc/httpd/conf, sign.sh into /usr/bin )

the error message :

[root@itahost2 conf]# sign.sh ssl.csr/server.csr
CA signing: ssl.csr/server.csr - ssl.crt/server.csr:
Using configuration from ca.config
./ca.key: No such file or directory
trying to load CA private key
28968:error:02001002:system library:fopen:No such file or
directory:bss_file.c:245:fopen('./ca.key','r')
28968:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:247:
CA verifying: ssl.crt/server.csr - CA cert
Error loading file ca.crt
28969:error:02001002:system library:fopen:No such file or
directory:bss_file.c:104:fopen('ca.crt','r')
28969:error:2006D002:BIO routines:BIO_new_file:system
lib:bss_file.c:106:
28969:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:278:
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose
purpose] [-engine e] cert1 cert2 ...
recognized usages:
sslclient   SSL client
sslserver   SSL server
nssslserver Netscape SSL server
smimesign   S/MIME signing
smimeencryptS/MIME encryption
crlsign CRL signing
any Any Purpose

So, can you help me to fix this problem ?

Thank a lots.

Edward.


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Make CA for WebServer ( Apache )

[Daniel Moore]

It's in the mod ssl INSTALL file...
Basically it's an added step when you make apache...

--from readme file...

$ cd apache_1.3.x  ALL
$ SSL_BASE=../openssl-0.9.x \  ALL
EAPI_MM=../mm-1.1.x \   OPTIONAL
./configure \ALL
--enable-module=ssl \ALL
--prefix=/path/to/apache \   ALL
[--enable-shared=ssl] \  OPTIONAL
[--disable-rule=SSL_COMPAT] \OPTIONAL
[--enable-rule=SSL_SDBM] \   OPTIONAL
[--enable-rule=SSL_EXPERIMENTAL] \   OPTIONAL
[--enable-rule=SSL_VENDOR] \ OPTIONAL
[...more APACI options...]   OPTIONAL
$ make ALL
$ make certificateOPTIONAL
$ make installOPTIONAL
$ cd ..  

Daniel.

[EMAIL PROTECTED] wrote:

Hello,

How to create CA ( invalid: NOT real ) for Web Server ( Apache ) ?

Thank for your help !

Edward.



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
 


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Make CA for WebServer ( Apache )

[EdwardSPL]

Hello,

How to create CA ( invalid: NOT real ) for Web Server ( Apache ) ?

Thank for your help !

Edward.



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Configuring my own CA

[Brian Lavender]

I am trying to configure my web server so when user brian attempts
to connect to https://myhost/brian/ it authenticates him via his
certificate and it allows him to view the directory. I successfully
compiled apache + modssl with a test certificate signed by
Snake Oil. So, here goes on the questions.

Do I need to create my own Certificate Authority? If I create my
own CA, how do I get Netscape to use it as a CA? I am using Netscape
4.7 on Solaris. If I create my own CA, does my Apache/modssl server perform
that function?

Do I need to create a certificate for Brian? Does it have to be signed 
by the CA? 

Here are the answers I came up with so far.

It looks like I need to create a CA and that I can run it on the my modssl
alongside the server.crt. Here is how I created the CA

$ openssl genrsa -des3 -out ca.key 1024 

I created a self signed CA certificate.

$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt 

So this created my certificate authority certificate.

I created at server.key. The CN for the server.key is the FQDN of
my modssl web server.

$ openssl genrsa -des3 -out server.key 1024

I created a request (server.csr) using that server key.

openssl req -new -key server.key -out server.csr 

Then I signed the server key with the command:

$ ./sign.sh server.csr 

which produced a server.crt file. So, it looks like I have a CA and the
server certificate. 

I create a key for myself which I signed using the CA.

$ openssl genrsa -des3 -out brian.key 1024
$ openssl req -new -key brian.key -out brian.csr
$ sign.sh brian.csr 

Then I end up with the following files. 

brian.crt  ca.crt ca.db.serial   server.crt
brian.csr  ca.db.certs/   ca.key server.csr
brian.key  ca.db.indexfile.p12   server.key

I can't seem to import my key (brian.crt) into my Netscape browser
though. Is there some other format I need to import it into?

brian
-- 
Brian Lavender
http://www.brie.com/brian/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Configuring my own CA

[Jose Correia (J)]

Hi Brian

Netscape needs a pckcs12 format.

I emailed the openssl list on the 16/10/2002 with subject Re: CSR/CA
Issued Certificate
where among other things I show how to create CA,server and client
certificates (not keys) and how to convert them to PKSC12 format and
import them into the browser.

Cheers
Jose


-Original Message-
From: Brian Lavender [mailto:brian;brie.com]
Sent: 18 October 2002 03:30
To: [EMAIL PROTECTED]
Subject: Configuring my own CA


I am trying to configure my web server so when user brian attempts
to connect to https://myhost/brian/ it authenticates him via his
certificate and it allows him to view the directory. I successfully
compiled apache + modssl with a test certificate signed by
Snake Oil. So, here goes on the questions.

Do I need to create my own Certificate Authority? If I create my
own CA, how do I get Netscape to use it as a CA? I am using Netscape
4.7 on Solaris. If I create my own CA, does my Apache/modssl server
perform
that function?

Do I need to create a certificate for Brian? Does it have to be signed

by the CA? 

Here are the answers I came up with so far.

It looks like I need to create a CA and that I can run it on the my
modssl
alongside the server.crt. Here is how I created the CA

$ openssl genrsa -des3 -out ca.key 1024 

I created a self signed CA certificate.

$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt 

So this created my certificate authority certificate.

I created at server.key. The CN for the server.key is the FQDN of
my modssl web server.

$ openssl genrsa -des3 -out server.key 1024

I created a request (server.csr) using that server key.

openssl req -new -key server.key -out server.csr 

Then I signed the server key with the command:

$ ./sign.sh server.csr 

which produced a server.crt file. So, it looks like I have a CA and
the
server certificate. 

I create a key for myself which I signed using the CA.

$ openssl genrsa -des3 -out brian.key 1024
$ openssl req -new -key brian.key -out brian.csr
$ sign.sh brian.csr 

Then I end up with the following files. 

brian.crt  ca.crt ca.db.serial   server.crt
brian.csr  ca.db.certs/   ca.key server.csr
brian.key  ca.db.indexfile.p12   server.key

I can't seem to import my key (brian.crt) into my Netscape browser
though. Is there some other format I need to import it into?

brian
-- 
Brian Lavender
http://www.brie.com/brian/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

how to generate an authoritive CA Certificate?

[zhaoxd]

hello,everybody:

Glad to talk to you!I happen to be a learner,so,if I have 
some problems let you feel bad,patient to me,please!

When I constructed my web station through apache,I 
met with some problems!

 I made theCA Certificate by myself,and issued a 
server.crtfor my web server using this CA,but I foundan unexpected 
warning happened when I tried to connect my apache server through 
MSIEnetscape.Thereis a warning message which says my certificate is 
not issued by Trusted CA.

I thinkthe CAgenerated by 
myselfmust be have some problems.My question is:canguys make CA by 
themselves?

If so,the steps I generate my 
CA are:

 1.create a RSA private key for my 
CA:
  $openssl genrsa -des3 
-out ca.key 1024
 2.create a self-signed CA Certificate (X509 
structure) with the RSA key of the CA.
  $openssl req -new -x509 
-day 365 -key ca.key -out ca.crt
 3.sign the certificate of my server using 
sign.sh provided by mod_ssl/pkg.contrib/
  $sign.sh 
server.csr
Then I got my server.crt issued by my 
CA Certificate.
 
Is there any problems during the process I 
generate CA?

Any help are appreciated!:)
   

   
zhaoxd

how to generate an authoritive CA Certificate?

[zhaoxd]

hello,everybody:

Glad to talk to you!I happen to be a learner,so,if I have 
some problems let you feel bad,patient to me,please!

When I constructed my web station through apache,I 
met with some problems!

 I made theCA Certificate by myself,and issued a 
server.crtfor my web server using this CA,but I foundan unexpected 
warning happened when I tried to connect my apache server through 
MSIEnetscape.Thereis a warning message which says my certificate is 
not issued by Trusted CA.

I thinkthe CAgenerated by 
myselfmust be have some problems.My question is:canguys make CA by 
themselves?

If so,the steps I generate my 
CA are:

 1.create a RSA private key for my 
CA:
  $openssl genrsa -des3 
-out ca.key 1024
 2.create a self-signed CA Certificate (X509 
structure) with the RSA key of the CA.
  $openssl req -new -x509 
-day 365 -key ca.key -out ca.crt
 3.sign the certificate of my server using 
sign.sh provided by mod_ssl/pkg.contrib/
  $sign.sh 
server.csr
Then I got my server.crt issued by my 
CA Certificate.
 
Is there any problems during the process I 
generate CA?

Any help are appreciated!:)
   

   
zhaoxd

Using a different CA

[Peter Hicks]

Hello List,

I have a question regarding the use of a different CA. I recently
purchased an SSL certificate from comodo.net and I have not been able
to get it to work properly. My browser responds that it cannot
recognize the issuer of the certificate. I am running apache 1.3.26,
mod-ssl 2.8.9, and openssl 0.9.6c on a debian woody system.


The global-ca.txt file has been downloaded from their site, and I have
contacted their tech support, who have provided me with no answers.

I have the following directive in my
vitual host container tags:

IfModule mod_ssl.c
SSLEngine on
SSLCertificateFile/etc/apache/ssl.crt/site.crt
SSLCertificateKeyFile /etc/apache/ssl.key/site.key
SSLCACertificateFile /etc/apache/ca-bundle/global-ca.txt
SetEnvIf User-Agent .*MSIE.*  nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
/IfModule


Has anyone else had any experience with comodo? Should I break down
and shell out the extra $$ for a Thawte cert?

Any help would be greatly appreciated!

-- 
Peter Hicks
GnuPG public key: http://jah.net/~petong/public_key.txt
Key Fingerprint: 4E24 3C78 A165 537C 729C  8D25 3547 3CE9 9E7D 42B6
Every why hath a wherefore. -- William Shakespeare, A Comedy of Errors
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Could I add more than one CA to http.conf.

Dear Sir:

If we want to allow the users that have the
certificate is signed by two CA(For examble Verisign 
and Hitrust). How could I do?

If I execute the SSLCACertificateFile command
tow times. The Second command is work, but the
first CS is disable.

OS : Windows 2000.
WEB Server: Apache 1.3, mod_ssl 2.6.1, OpenSSL  0.8.5

Is there any command to solve the problem?

Thanks

Bruce Huang (¶À¤å½å)

FoongTone §»³q¼Æ½X¬ì§Þ

¥x¥_¿¤¤¤©M¥«¤¤¥¿¸ô866¸¹14¼Ó

Tel: 886-2-8861  ext 636
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Could I add more than one CA to http.conf.

Hi Sir:

I have got the solution. Thanks.
Bruce Huang

  -Original Message-
 From: ¶À¤å½å  
 Sent: Friday, July 12, 2002 2:06 PM
 To:   '[EMAIL PROTECTED]'
 Subject:  Could I add more than one CA to http.conf.
 
 Dear Sir:
 
   If we want to allow the users that have the
 certificate is signed by two CA(For examble Verisign 
 and Hitrust). How could I do?
 
   If I execute the SSLCACertificateFile command
 tow times. The Second command is work, but the
 first CS is disable.
 
   OS : Windows 2000.
   WEB Server: Apache 1.3, mod_ssl 2.6.1, OpenSSL  0.8.5
 
 Is there any command to solve the problem?
 
 Thanks
 
 Bruce Huang (¶À¤å½å)
 
 FoongTone §»³q¼Æ½X¬ì§Þ
 
 ¥x¥_¿¤¤¤©M¥«¤¤¥¿¸ô866¸¹14¼Ó
 
 Tel: 886-2-8861  ext 636
 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

How do I extend the expiration day of the self generated CA certificate andall the certs issued by that CA. Please help

[ilya . birman]

We have created our own CA certificate and signed few more certs using it.
The CA is about to expire and with that all the certificates signed using
it. Is there a way to extend the expiration day with out recreating the CA
and reissuing the certs?
Please help
Thanks in advance.
Ilya
---
This  message  (including  any  attachments)  is  confidential  and  may be
privileged.  If you have received it by mistake please notify the sender by
return  e-mail  and  delete this message from your system. Any unauthorized
use  or  dissemination  of  this  message  in  whole or in part is strictly
prohibited.  Please  note  that e-mails are susceptible to change. ABN AMRO
Bank  N.V.  (including  its  group  companies)  shall not be liable for the
improper  or  incomplete  transmission of the information contained in this
communication  nor  for  any delay in its receipt or damage to your system.
ABN  AMRO  Bank  N.V.  (or its group companies) does not guarantee that the
integrity   of  this  communication  has  been  maintained  nor  that  this
communication is free of viruses, interceptions or interference.
---

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Getting CRL from CA

[François Désarménien]

Hello,

Maybe a stupid question, but I cannot figure out the answer.

I have a secured SSL/TLS server with client authentication.
I accept user certificates for various CA of my choice, so
I have those CA certificates available and verified, etc.

But, in order to validate user certificates, I need to
update the various CRL from those CA.

Is there a standard way of knowing where and how to connect
to get those CRL, beside reviewing individually for each
CA its CPS ?

Another question strongly related to this one : is there
any opensource tools to achieve thios goal available to
your knowledge ?

Thank you for your time,

François
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

ca cert questions (was Re: Dumb SSL question)

[jon schatz]

On Tue, 2002-04-02 at 13:50, Ladner, Eric (Eric.Ladner) wrote:
 What mechanism is it that will allow an encrypted communication (a
 connection to the https side of the web server) without popping up
 the View/Accept/Whatever dialog for the certificate?

All that's required is a valid cert ( valid date, correct servername)
signed by a valid CA (installed on your web browser or on the remote
server). which brings me to my question:

my company purchased a cert from geotrust. initially, we couldn't make
the cert work (we got ie dialog saying that the cert was from a company
we had not chose to trust). geotrust had me install a CA cert on the
server and use 'SSLCACertificateFile' to point to it. magically, ie then
trusted the certificate. so why does this work? i mean, why can't i
start forging ssl certificates that are trusted by my own ca files that
i host locally? do browsers do any verification of ca files served up by
remote machines? feel free to point me to documentation on this one...

-jon

-- 
[EMAIL PROTECTED] || www.divisionbyzero.com
gpg key: www.divisionbyzero.com/pubkey.asc
think i have a virus?: www.divisionbyzero.com/pgp.html
You are in a twisty little maze of Sendmail rules, all confusing. 



signature.asc
Description: This is a digitally signed message part

Re: ca cert questions (was Re: Dumb SSL question)

[Cliff Woolley]

On 2 Apr 2002, jon schatz wrote:

 we had not chose to trust). geotrust had me install a CA cert on the
 server and use 'SSLCACertificateFile' to point to it. magically, ie then
 trusted the certificate. so why does this work? i mean, why can't i
 start forging ssl certificates that are trusted by my own ca files that
 i host locally? do browsers do any verification of ca files served up by
 remote machines? feel free to point me to documentation on this one...

The difference is that the CA certificate they would have had you install
(a) is signed by a CA that the browser *does* trust and (b) contains a
flag saying this certificate may be used to sign other certificates.
SSLCertificateChainFile (and SSLCACertificateFile in this case) is all
about establishing a chain of trust back to some entity (a root CA) that
the browser does trust.

Take a look at the CA certificate they gave you... it will have been
signed by some root CA (is Thawte the only one that actually provides this
service?  Maybe Verisign does, I don't know.), and you'll see the special
capabilities flags in there as well.

--Cliff

--
   Cliff Woolley
   [EMAIL PROTECTED]
   Apache HTTP Server Project

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Become a CA

[Administrador]

Hello,

I'm a ISP. I want to obtain a certificate, and then, create my own
certificates for my clients. It is possible?

-- 
Administrador Técnico
Alsernet 2000
http://www.alsernet.es

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Antwort: Re: Antwort: RE: Sign a server CSR with my own CA

[Markus Dallmann]

Hi Ed,

works fine!

Many thanks

Markus

PS: Only one typo, I corrected below for others convenience.


Datum: 12.03.2002 19:20
An:[EMAIL PROTECTED]




Antwort an:[EMAIL PROTECTED]

Betreff:   Re: Antwort: RE: Sign a server CSR with my own CA
Nachrichtentext:

Markus,

It's a rather involved process, but here's what I did to get it to work.
It's not the most elegant of methods, but it will get you started.

1)  You'll need to generate your RSA keys for both your server and ca:

--openssl rand -out random_data 65000

--openssl genrsa -passout pass:your_server_password -des3 -rand random_data
  -out server.key 1024

--openssl genrsa -passout pass:your_ca_password -des3
-rand random_data  -out ca.key 1024

2)  Now create your CSR:

--openssl req -new -passin (strikethrough: file)pass:your_server_password -config 
cert.conf -key
server.key -out server.csr

Your cert.conf file should look something like:
[ req ]

default_keyfile = server.csr
distinguished_name = req_distinguished_name
prompt = no


[ req_distinguished_name ]

C = US
ST = Califori.. uhh
L = Palo-Alto
O = Hewlett-Packard Co.
OU = WJA
emailAddress = your e-mail address
CN = 123.123.123.123

3)  Create a self-signed CA Certificate (X509 structure) with the RSA key of
the CA (output will be PEM formatted) in ca.crt

--openssl req -new -x509 -passin pass:your_ca_password -config cert.conf
-days 365 -key ca.key -out ca.crt

4)  Have the new CA sign the server's CSR and store results in server.crt.
This is the tricky part.

--Create an empty file called certIndex.

--Create a file called certSerialNo, and put a 01 in it

--openssl ca -batch -passin pass:your_server_password -config ca.conf -out
server.crt -infiles server.csr

Your ca.conf file should look something like:

[ ca ]
default_ca  = CA_default# The default ca section

[ CA_default ]

dir= c:/apache2/certificates/temp  # top dir
new_certs_dir  = c:/apache2/certificates/temp  # new certs
dir
database   = c:/apache2/certificates/temp/certIndex# index file.

serial = c:/apache2/certificates/temp/certSerialNo # serial no
file
RANDFILE   = c:/apache2/certificates/temp/random_data  # random
number file
certificate= c:/apache2/certificates/temp/ca.crt   # The CA cert
private_key= c:/apache2/certificates/temp/ca.key   # CA private
key

default_days   = 365   # how long to certify for
default_crl_days= 30   # how long before next CRL
default_md = md5   # md to use

policy = policy_any# default policy

[ policy_any ]
localityName   = supplied
countryName= supplied
stateOrProvinceName= supplied
organizationName   = supplied
organizationalUnitName = supplied
commonName = supplied
emailAddress   = optional


That should do it.  There are undoubtedly typo's in there somewhere.

Good luck,

Ed


From: Markus Dallmann [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Antwort: RE: Sign a server CSR with my own CA
Date: Tue, 12 Mar 2002 16:51:52 +0100


Done, but nothing found.


Datum: 12.03.2002 16:14
An:[EMAIL PROTECTED]




Antwort an:[EMAIL PROTECTED]

Betreff:   RE: Sign a server CSR with my own CA
Nachrichtentext:

Search for CA.pl

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Markus Dallmann
Sent: Tuesday, March 12, 2002 8:14 AM
To: [EMAIL PROTECTED]
Subject: Sign a server CSR with my own CA



Hi,

I'm using a win32 binary version of Perl 5.6.1, mod_perl 1.25 and Apache
1.3.20, which also includes the apache module mod_ssl (2.8.4-1.3.20)
based on OpenSSL (0.9.6a).

I created my own server CRT (passed some problems, e.g. redirect config
file in openssl req, download missing openssl.cnf from www.modssl.org)
and build my own CA.

But now I have problems to sign the CRT with my own CA, because there is
no sign.sh script for WinNT. I tried it with 'openssl ca' and go through
several error messages (last was missing index.txt).

Does anybody succeeded in this? Or has anybody another solution?

kind regards

Markus


--

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese
E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den
Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie
die unbefugte Weitergabe dieser Mail ist nicht gestattet.

This e-mail may contain confidential and/or privileged information. If
you are not the intended recipient (or have received this e-mail in
error) please notify the sender immediately and destroy this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.


__
Apache Interface

Sign a server CSR with my own CA

[Markus Dallmann]

Hi,

I'm using a win32 binary version of Perl 5.6.1, mod_perl 1.25 and Apache 1.3.20, which 
also includes the apache module mod_ssl (2.8.4-1.3.20) based on OpenSSL (0.9.6a).

I created my own server CRT (passed some problems, e.g. redirect config file in 
openssl req, download missing openssl.cnf from www.modssl.org) and build my own CA.

But now I have problems to sign the CRT with my own CA, because there is no sign.sh 
script for WinNT. I tried it with 'openssl ca' and go through several error messages 
(last was missing index.txt).

Does anybody succeeded in this? Or has anybody another solution?

kind regards

Markus


--

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn 
Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, 
informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das 
unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.

This e-mail may contain confidential and/or privileged information. If you are not the 
intended recipient (or have received this e-mail in error) please notify the sender 
immediately and destroy this e-mail. Any unauthorized copying, disclosure or 
distribution of the material in this e-mail is strictly forbidden.


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Sign a server CSR with my own CA

[Thomas Porter, Ph.D.]

Search for CA.pl

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Markus Dallmann
Sent: Tuesday, March 12, 2002 8:14 AM
To: [EMAIL PROTECTED]
Subject: Sign a server CSR with my own CA



Hi,

I'm using a win32 binary version of Perl 5.6.1, mod_perl 1.25 and Apache
1.3.20, which also includes the apache module mod_ssl (2.8.4-1.3.20)
based on OpenSSL (0.9.6a).

I created my own server CRT (passed some problems, e.g. redirect config
file in openssl req, download missing openssl.cnf from www.modssl.org)
and build my own CA.

But now I have problems to sign the CRT with my own CA, because there is
no sign.sh script for WinNT. I tried it with 'openssl ca' and go through
several error messages (last was missing index.txt).

Does anybody succeeded in this? Or has anybody another solution?

kind regards

Markus


--

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese
E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den
Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie
die unbefugte Weitergabe dieser Mail ist nicht gestattet.

This e-mail may contain confidential and/or privileged information. If
you are not the intended recipient (or have received this e-mail in
error) please notify the sender immediately and destroy this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

ca server certificates

[Erkan Durmus]

Hi,
We are using 
Apache/1.3.9 (Unix) mod_ssl/2.4.10 and we 
could authenticate our windows 2000 ca server certificates to whole part of 
server.How can I authenticate my clients for a particular URL based on 
certificates but still allow arbitrary clients to access the remaining parts of 
the server.We configured httpds.conf as:

Location /pls/secureclient
SSLVerifyClient require
SSLVerifyDepth 1
/Location
But it didnt worked.Weget an error message from browser(internet 
explorer version 5.0)
Method Not Allowed
The requested method POST is not allowed for the URL 
/pls/secureclient/LOGIN.shtml. 




Apache/1.3.9 Server at appsvr Port 
443

CA-Server on Win200

[Dr. Peter Kanyion]

Hi,

I need to put up a CA Server on Win2000 for testing purposes. Any
recommendation for software will be highly appreciated.

Sorry, if this request is out of scope.

Thanks.
Peter

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: CA-Server on Win200

[madhon]

if you have win2000 server/advanced server you can install certificate
servers to do it

- Original Message -
From: Dr. Peter Kanyion [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, January 08, 2002 11:15 AM
Subject: CA-Server on Win200




Hi,

I need to put up a CA Server on Win2000 for testing purposes. Any
recommendation for software will be highly appreciated.

Sorry, if this request is out of scope.

Thanks.
Peter

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: CA-Server on Win200

[Dr. Peter Kanyion]

Thanks for the swift response. No,I don't have the advanced server version
of Win2000. If I correctly understood your comments, the certificate server
is included in the advanced server, right? If that is the case, I'll strive
to get the Win2000 advanced server version.

Thanks.
Peter

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of madhon
Sent: Dienstag, 8. Januar 2002 12:40
To: [EMAIL PROTECTED]
Subject: Re: CA-Server on Win200


if you have win2000 server/advanced server you can install certificate
servers to do it

- Original Message -
From: Dr. Peter Kanyion [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, January 08, 2002 11:15 AM
Subject: CA-Server on Win200




Hi,

I need to put up a CA Server on Win2000 for testing purposes. Any
recommendation for software will be highly appreciated.

Sorry, if this request is out of scope.

Thanks.
Peter

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: CA-Server on Win200

[madhon]

its included in both the server and advanced server versions of win200
- Original Message - 
From: Dr. Peter Kanyion [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, January 08, 2002 11:44 AM
Subject: RE: CA-Server on Win200


Thanks for the swift response. No,I don't have the advanced server version
of Win2000. If I correctly understood your comments, the certificate server
is included in the advanced server, right? If that is the case, I'll strive
to get the Win2000 advanced server version.

Thanks.
Peter

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of madhon
Sent: Dienstag, 8. Januar 2002 12:40
To: [EMAIL PROTECTED]
Subject: Re: CA-Server on Win200


if you have win2000 server/advanced server you can install certificate
servers to do it

- Original Message -
From: Dr. Peter Kanyion [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, January 08, 2002 11:15 AM
Subject: CA-Server on Win200




Hi,

I need to put up a CA Server on Win2000 for testing purposes. Any
recommendation for software will be highly appreciated.

Sorry, if this request is out of scope.

Thanks.
Peter

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: CA installation

[andrew reid]

Ok im useing mandrake linux  it came with a predefined
key . i created a news key for my site but ,when i put the certificate
and the key in /etc/httpd/ssl dir the server wont start

Re: CA installation

[Owen Boyle]

andrew reid wrote:
 
 Hi  i created a certificate to used by apache but cant figure out how 
 were to install it help please.

You need a cert and a key. When you compiled apache with mod_ssl, and
did make install, they should have been installed for you. Anyway,
they go in your apache conf dir (e.g. /usr/local/apache/conf) in their
own directories ssl.crt and ssl.key - then you have to point to the key
and cert in httpd.conf: 

SSLCertificateFile/usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key

Make sure the key and the ssl.key directory are readable ONLY by root -
i.e. permissions 400.

Rgds,

Owen Boyle.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

IE6 Base ca-bundle

[m . brulisauer]

Title: IE6 Base ca-bundle





I have uploaded a IE6 based new ca-bundle.crt
containing all root cert's.


http://www.modssl.org/contrib/ca-bundle.crt.tar.gz


With Kind Regards,


Martin Brülisauer
Systime Informatik AG
Engineering  Support
Bruggacherstrasse 26
CH-8117 Fällanden
Phone: +411-806-8650
Fax: +411-806-8622
http://www.systime.ch/

CA certificates

[Chris Rutledge]

Does mod_ssl have to have SSLCACertificatePath and or File to authenticate
a verisign test client certificate?

How To page reads

SSLVerifyClient none 
Directory /usr/local/apache/htdocs/secure/area 
SSLVerifyClient require 
SSLVerifyDepth 5 
SSLCACertificateFile conf/ssl.crt/ca.crt 
SSLCACertificatePath conf/ssl.crt 
SSLOptions +FakeBasicAuth 
SSLRequireSSL 
SSLRequire  %{SSL_CLIENT_S_DN_O} eq Snake Oil,
Ltd. and \
 %{SSL_CLIENT_S_DN_OU} in {Staff,
CA, Dev} 

/Directory 

for client certificate authentication as method 2, However, if I leave the
SSLCACertificateFile or Path line in on startup it complains that the
directive does not belong thereDid I miss something in the main
configuration that is causing this? So the only way I can get the server to
start up is by taking those 2 lines out and then I get unable to get local
issuer certificate when I try to connect with the test client cert from
verisign. Should I have version's CA cert loaded into apache conf?


Thanks in advance,
Chris

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Multiple CRLs with same CA

[Schaefer,Lorrayne J.]

Yes, you can use OCSP with Entrust issued certificates.  

Lorrayne

[EMAIL PROTECTED] wrote:
 
 Hello Lorrayne,
 
 Thanks for your input.
 By any chance, do you know if i can use OCSP with an Entrust CA (instead of
 CRLs)?
 
 Regards,
 
 Alec
 

 
 From Schaefer,Lorrayne J. [EMAIL PROTECTED] on 12 December 2001
 9:07:02
 To : [EMAIL PROTECTED]
 Copy To : [EMAIL PROTECTED]
 Subject : Re: Multiple CRLs with same CA
 
 Hi everyone.  I was chatting with an Entrust engineer yesterday about
 partitioned CRLs (this is where you can break it down my something such as
 size).  The only CA that currently do this to my knowledge is Entrust.
 
 I agree with Rich Salz's response.  OCSP is a great way to go (and,
 Valicert offers an Apache plug-in).  :-)
 
 Lorrayne
 
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
 
 

 
 Alec Barea
 PKI engineering team
 Equant
 Tel:  +1 514 847-3436
 CVS: 225 3436
 
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]


[EMAIL PROTECTED] wrote:
 
 Hello Lorrayne,
 
 Thanks for your input.
 By any chance, do you know if i can use OCSP with an Entrust CA (instead of
 CRLs)?
 
 Regards,
 
 Alec
 

 
 From Schaefer,Lorrayne J. [EMAIL PROTECTED] on 12 December 2001
 9:07:02
 To : [EMAIL PROTECTED]
 Copy To : [EMAIL PROTECTED]
 Subject : Re: Multiple CRLs with same CA
 
 Hi everyone.  I was chatting with an Entrust engineer yesterday about
 partitioned CRLs (this is where you can break it down my something such as
 size).  The only CA that currently do this to my knowledge is Entrust.
 
 I agree with Rich Salz's response.  OCSP is a great way to go (and,
 Valicert offers an Apache plug-in).  :-)
 
 Lorrayne
 
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
 
 

 
 Alec Barea
 PKI engineering team
 Equant
 Tel:  +1 514 847-3436
 CVS: 225 3436
 
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Multiple CRLs with same CA

[Rich Salz]

 Valicert has listed Entrust as one of its partners.  I would assume that
 would mean that Valicert can interoperate with Entrust issued
 certificates.

I think it is stretching things to say that partnership implies full
parsing of the various Entrust CRL's. How many partnerships do you know
where full implmenetation or interop is implied? :)
/r$
-- 
Zolera Systems, Your Key to Online Integrity
Securing Web services: XML, SOAP, Dig-sig, Encryption
http://www.zolera.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Multiple CRLs with same CA

[Schaefer,Lorrayne J.]

Rich,

I'll check w/ an Entrust engineer today to see if I can get an honest
(ha!) answer from him regarding your concerns.

Lorrayne

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Multiple CRLs with same CA

[Rich Salz]

i'd ask a valicert person, actually.

-- 
Zolera Systems, Your Key to Online Integrity
Securing Web services: XML, SOAP, Dig-sig, Encryption
http://www.zolera.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Multiple CRLs with same CA

[Alec . Barea]

Hello there,

Thanks a lot for your help and input.
Actually i found a solution to the problem. Entrust allows partitioned CRLs
by default (CRLs are splited for scalability purposes) but you can enable
the combined CRL which will not be splitted (for compatibilty, as the
partioned CRL is only an option in the standard). So this one works well
with openssl/mod_ssl.
Those 2 CRLs (combined and partitioned) will work both at the same time
without problems.

If you want more info on that, don't hesitate to ask me.

Cheers,

Alec


From Schaefer,Lorrayne J. [EMAIL PROTECTED] on 12 December 2001
9:07:02
To : [EMAIL PROTECTED]
Copy To : [EMAIL PROTECTED]
Subject : Re: Multiple CRLs with same CA


Hi everyone.  I was chatting with an Entrust engineer yesterday about
partitioned CRLs (this is where you can break it down my something such as
size).  The only CA that currently do this to my knowledge is Entrust.

I agree with Rich Salz's response.  OCSP is a great way to go (and,
Valicert offers an Apache plug-in).  :-)

Lorrayne



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Alec Barea
PKI engineering team
Equant
Tel:  +1 514 847-3436
CVS: 225 3436

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Multiple CRLs with same CA

[Rich Salz]

No, openssl does not yet support the (infinite:) ways to split CRL's
that Entrust likes.

OCSP is simpler. :)
/r$

-- 
Zolera Systems, Securing web services (XML, SOAP, Signatures,
Encryption)
http://www.zolera.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Multiple CRLs with same CA

[Schaefer,Lorrayne J.]

Hi everyone.  I was chatting with an Entrust engineer yesterday about
partitioned CRLs (this is where you can break it down my something such as
size).  The only CA that currently do this to my knowledge is Entrust.

I agree with Rich Salz's response.  OCSP is a great way to go (and,
Valicert offers an Apache plug-in).  :-)

Lorrayne



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Multiple CRLs with same CA

[Alec . Barea]

Hello Lorrayne,

Thanks for your input.
By any chance, do you know if i can use OCSP with an Entrust CA (instead of
CRLs)?

Regards,

Alec


From Schaefer,Lorrayne J. [EMAIL PROTECTED] on 12 December 2001
9:07:02
To : [EMAIL PROTECTED]
Copy To : [EMAIL PROTECTED]
Subject : Re: Multiple CRLs with same CA


Hi everyone.  I was chatting with an Entrust engineer yesterday about
partitioned CRLs (this is where you can break it down my something such as
size).  The only CA that currently do this to my knowledge is Entrust.

I agree with Rich Salz's response.  OCSP is a great way to go (and,
Valicert offers an Apache plug-in).  :-)

Lorrayne



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Alec Barea
PKI engineering team
Equant
Tel:  +1 514 847-3436
CVS: 225 3436

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Multiple CRLs with same CA

[Rich Salz]

Does Valicert support the various Entrust CRL extensions and
partitioning?

If not, then they're useless for this problem.
/r$

-- 
Zolera Systems, Your Key to Online Integrity
Securing Web services: XML, SOAP, Dig-sig, Encryption
http://www.zolera.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Multiple CRLs with same CA

[Alec . Barea]

Hello there,

Is mod_ssl supporting having multiple CRLs for 1 CA?
It seems it's not, and that's very anoying in my situation.
I'm using Entrust PKI software which splits the CRL list when it reaches
a defined size (for scalability). mod_ssl seems to check only the first
CRL and don't care about the others, which means that users with
revocated certificates can use them...

Regards,

Alec



Alec Barea
PKI engineering team
Equant
Tel:  +1 514 847-3436
CVS: 225 3436

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Multiple CRLs with same CA

[Mads Toftum]

On Tue, Dec 11, 2001 at 05:32:42PM -0500, [EMAIL PROTECTED] wrote:
 Hello there,
 
 Is mod_ssl supporting having multiple CRLs for 1 CA?
 It seems it's not, and that's very anoying in my situation.
 I'm using Entrust PKI software which splits the CRL list when it reaches
 a defined size (for scalability). mod_ssl seems to check only the first
 CRL and don't care about the others, which means that users with
 revocated certificates can use them...
 
Hmmm - perhaps you could use mod_authz_ldap - AFAICT it should be a useable
solution in an Entrust setup. 

vh

Mads Toftum
-- 
With a rubber duck, one's never alone.
  -- The Hitchhiker's Guide to the Galaxy
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Multiple CRLs with same CA

[Alec . Barea]

Hello Mads,

Thanks for your answer.
I took a look to the web page of mod_authz_ldap but couldn't figure out how
it could help me, can you explain me a bit more your thoughs?

Regards,

Alec


From Mads Toftum [EMAIL PROTECTED] on 11 December 2001 23:45:53
To : [EMAIL PROTECTED]
Subject : Re: Multiple CRLs with same CA


On Tue, Dec 11, 2001 at 05:32:42PM -0500, [EMAIL PROTECTED] wrote:
 Hello there,

 Is mod_ssl supporting having multiple CRLs for 1 CA?
 It seems it's not, and that's very anoying in my situation.
 I'm using Entrust PKI software which splits the CRL list when it reaches
 a defined size (for scalability). mod_ssl seems to check only the first
 CRL and don't care about the others, which means that users with
 revocated certificates can use them...

Hmmm - perhaps you could use mod_authz_ldap - AFAICT it should be a useable
solution in an Entrust setup.

vh

Mads Toftum
--
With a rubber duck, one's never alone.
  -- The Hitchhiker's Guide to the Galaxy
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Alec Barea
PKI engineering team
Equant
Tel:  +1 514 847-3436
CVS: 225 3436

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Re: Importing Self-signed CA into Netscape Browser

[Alex Pircher]

Have you created your CA-Certificate with the steps in
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC29 ?

Then you have the certificate in the right format.
I don't know if it works under Linux/Unix if you call a certificate from a file-URL
(in Windump it doesn't), try to request it via http and the loadcacert.cgi (so that
the correct mime-type is transmitted). After that Netscape brings up a Window to
install the Certificate automatically and no password is required.

Here the installation process of the cert with pictures (but in german language):

Netscape 4: http://www.weisshuhn.de/security/ssl/netscape.html
Netscape 6: http://www.weisshuhn.de/security/ssl/ns6.html

GreetingX,
 Alex

 --- George Walsh [EMAIL PROTECTED] schrieb:
 Thanks for taking the trouble to respond to my apparent thick-mindedness, Alex!
 
 I pointed the URL to the actual test file containing the certificate: in this case
 file:///opt/apache/conf/ssl.crt/ca.crt.
 
 Then, I hit on the security icon and asked to import the certificate. It asks for a
 password(which I left blank) and then the name of the file - indicating an *.p12 
extension.
 However, it will only find the file without the extensio, of course. This suggests 
to me that
 some kind of conversion is necessary? If I ask to look for certificates accepted (in 
any
 category!) nothing shows except the commercial CAs.
 
 Can you provide me with a further step up?
 Maybe I need to go back and recreate the certificates in encryted form???
 
 Thanks, Alex.
 
 George
 
 
 Alex Pircher [EMAIL PROTECTED] wrote:
 
 Can you provide the URL of loadcacert.cgi?
 
 If SSL is enabled the mime-type for certificates is ordinary correctly set in the 
httpd.conf.
 So actually you don't need loadcacert.cgi, you just have to point your Browser to 
the URL of
 the certificate. This worked for me without problems.
 
 GreetingX,
  Alex
 
  I prepared the CAs using the make certificate TYPE=custom option. Both the 
server and the
 CA
  files look fine to me and are in their proper pews.
  There were warnings about security depth being 0, but that is to be expected 
during the
 creation
  process.
  
  In the mod_ssl documentation the instruction asks that I 'fire up' Communicator 
and use the
 Perl
  script loadcacert.cgi in the pkg.contrib directory to load the CA into the 
browser.
  
  Then I have to 'walk through the dialog boxes'.
  
  Well, this is all too simple for me to comprehend. I can execute the script file 
and it
 assigns
  the x509 type, determines the length and prints out the certificate data, but 
that doesn't
 get
  into Communicator, so nothing really happens. How do I tie the script output into
 Communicator
  to trigger what should be happening?
  
  Or is there a more straightforward way???
  
  Thanks,
  
  George Walsh,
  Managing Director
  Travel Seewise Pacific Corp
  
  -- 
  George Walsh,
  Managing Director,
  Travel Seewise Pacific Corp
  Vancouver Canada


__
Do You Yahoo!?
Gesendet von Yahoo! Mail - http://mail.yahoo.de

Re: Importing Self-signed CA into Netscape Browser

[Alex Pircher]

Can you provide the URL of loadcacert.cgi?

If SSL is enabled the mime-type for certificates is ordinary correctly set in the 
httpd.conf.
So actually you don't need loadcacert.cgi, you just have to point your Browser to the 
URL of
the certificate. This worked for me without problems.

GreetingX,
 Alex

 I prepared the CAs using the make certificate TYPE=custom option. Both the server 
and the CA
 files look fine to me and are in their proper pews.
 There were warnings about security depth being 0, but that is to be expected during 
the creation
 process.
 
 In the mod_ssl documentation the instruction asks that I 'fire up' Communicator and 
use the Perl
 script loadcacert.cgi in the pkg.contrib directory to load the CA into the browser.
 
 Then I have to 'walk through the dialog boxes'.
 
 Well, this is all too simple for me to comprehend. I can execute the script file and 
it assigns
 the x509 type, determines the length and prints out the certificate data, but that 
doesn't get
 into Communicator, so nothing really happens. How do I tie the script output into 
Communicator
 to trigger what should be happening?
 
 Or is there a more straightforward way???
 
 Thanks,
 
 George Walsh,
 Managing Director
 Travel Seewise Pacific Corp
 
 -- 
 George Walsh,
 Managing Director,
 Travel Seewise Pacific Corp
 Vancouver Canada
 
 
 
 __
 Your favorite stores, helpful shopping tools and great gift ideas. Experience the 
convenience of
 buying online with Shop@Netscape! http://shopnow.netscape.com/
 
 Get your own FREE, personal Netscape Mail account today at 
http://webmail.netscape.com/
 
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED] 

__
Do You Yahoo!?
Gesendet von Yahoo! Mail - http://mail.yahoo.de
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Re: Importing Self-signed CA into Netscape Browser

[George Walsh]

Thanks for taking the trouble to respond to my apparent thick-mindedness, Alex!

I pointed the URL to the actual test file containing the certificate: in this case 
file:///opt/apache/conf/ssl.crt/ca.crt.

Then, I hit on the security icon and asked to import the certificate. It asks for a 
password(which I left blank) and then the name of the file - indicating an *.p12 
extension. However, it will only find the file without the extensio, of course. This 
suggests to me that some kind of conversion is necessary? If I ask to look for 
certificates accepted (in any category!) nothing shows except the commercial CAs.

Can you provide me with a further step up?
Maybe I need to go back and recreate the certificates in encryted form???

Thanks, Alex.

George


Alex Pircher [EMAIL PROTECTED] wrote:

Can you provide the URL of loadcacert.cgi?

If SSL is enabled the mime-type for certificates is ordinary correctly set in the 
httpd.conf.
So actually you don't need loadcacert.cgi, you just have to point your Browser to the 
URL of
the certificate. This worked for me without problems.

GreetingX,
 Alex

 I prepared the CAs using the make certificate TYPE=custom option. Both the server 
and the CA
 files look fine to me and are in their proper pews.
 There were warnings about security depth being 0, but that is to be expected during 
the creation
 process.
 
 In the mod_ssl documentation the instruction asks that I 'fire up' Communicator and 
use the Perl
 script loadcacert.cgi in the pkg.contrib directory to load the CA into the browser.
 
 Then I have to 'walk through the dialog boxes'.
 
 Well, this is all too simple for me to comprehend. I can execute the script file 
and it assigns
 the x509 type, determines the length and prints out the certificate data, but that 
doesn't get
 into Communicator, so nothing really happens. How do I tie the script output into 
Communicator
 to trigger what should be happening?
 
 Or is there a more straightforward way???
 
 Thanks,
 
 George Walsh,
 Managing Director
 Travel Seewise Pacific Corp
 
 -- 
 George Walsh,
 Managing Director,
 Travel Seewise Pacific Corp
 Vancouver Canada
 
 
 
 __
 Your favorite stores, helpful shopping tools and great gift ideas. Experience the 
convenience of
 buying online with Shop@Netscape! http://shopnow.netscape.com/
 
 Get your own FREE, personal Netscape Mail account today at 
http://webmail.netscape.com/
 
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED] 

__
Do You Yahoo!?
Gesendet von Yahoo! Mail - http://mail.yahoo.de
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

-- 
George Walsh,
Managing Director,
Travel Seewise Pacific Corp
Vancouver Canada



__
Your favorite stores, helpful shopping tools and great gift ideas. Experience the 
convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Importing Self-signed CA into Netscape Browser

[George Walsh]

I prepared the CAs using the make certificate TYPE=custom option. Both the server 
and the CA files look fine to me and are in their proper pews.
There were warnings about security depth being 0, but that is to be expected during 
the creation process.

In the mod_ssl documentation the instruction asks that I 'fire up' Communicator and 
use the Perl script loadcacert.cgi in the pkg.contrib directory to load the CA into 
the browser.

Then I have to 'walk through the dialog boxes'.

Well, this is all too simple for me to comprehend. I can execute the script file and 
it assigns the x509 type, determines the length and prints out the certificate data, 
but that doesn't get into Communicator, so nothing really happens. How do I tie the 
script output into Communicator to trigger what should be happening?

Or is there a more straightforward way???

Thanks,

George Walsh,
Managing Director
Travel Seewise Pacific Corp

-- 
George Walsh,
Managing Director,
Travel Seewise Pacific Corp
Vancouver Canada



__
Your favorite stores, helpful shopping tools and great gift ideas. Experience the 
convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

expired CA certificate

[Marko Asplund]

what's the best way to renew an expired, self-signed CA certificate? i'd
like to be able to automate the steps that users (https, imaps with
Netscape and Outlook) will have to go through during the renewal process
so, they don't have to find the old CA certificate in their programs and
delete it. can Certificate Revocation Lists be used for this?

best regards,
-- 
aspa



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Does this CA process make sense?

[Dan Langille]

On 11 Jul 2001, at 9:51, Lutz Jaenicke wrote:

 On Tue, Jul 10, 2001 at 06:12:09PM -0400, Dan Langille wrote:
 ...
  I imported iestuff.p12 into my MSIE browser and select that certificate 
  when prompted by the browser.
  
  I then used the following SSL related values in my SSL vhost:
  
  SSLEngine   on
  SSLCertificateFile  /home/dan/CA/demoCA/cacert.pem
  SSLCertificateKeyFile   /home/dan/CA/demoCA/private/cakey.key
  
  SSLCACertificatePath/home/dan/CA/demoCA/
  SSLCACertificateFile/home/dan/CA/demoCA/cacert.pem
  
  Location /securelocation
  SSLVerifyClient require
  SSLVerifyDepth  1
  /Location
  
  Note that I'm using the CA certificate and key for the SSL and the 
  SSLCA information.  Does that make sense?  I tried this:
  
  SSLCACertificatePath/home/dan/CA/
  SSLCACertificateFile/home/dan/CA/newcert.pem
  
  But if I use that combination, my browser certificate is not listed in the 
  Client Authentication dialog box presented by the browser when I go 
  to /securelocation.
  
  Why?  What have I misunderstood?
 
 You should use three distinct certificates (and corresponding private keys):
 * The CA certificate. You already have one, use it with SSLCACertificateFile

SSLCACertificatePath/home/dan/CA/demoCA/
SSLCACertificateFile/home/dan/CA/demoCA/cacert.pem

 * The server's certificate. You don't have one by now. Create a new one
   signed from your CA. Issue it for CommonName (CN) being the FQDN
   (fully qualified domain name) of your server: Use it with
   mv newkey.pem server_key.pem
   mv newcert.pem server_cert.pem
   SSLCertificateFile /path/to/server_cert.pem
   SSLCertificateKeyFile /path/to/server_key.pem

SSLCertificateFile  /home/dan/CA/server_cert.pem
SSLCertificateKeyFile   /home/dan/CA/server_key.pem

 * The client key. You already put it into iestuff.p12...

Done.  Thank you.  That's working fine now.  I see what I was doing 
wrong.  I was swapping the server and CA certificates.  That's why the 
browser did not list any certificates when I visited the secure area of the 
site.

cheers

-- 
Dan Langille
pgpkey - finger [EMAIL PROTECTED] | http://unixathome.org/finger.php
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Does this CA process make sense?

[Lutz Jaenicke]

On Tue, Jul 10, 2001 at 06:12:09PM -0400, Dan Langille wrote:
...
 I imported iestuff.p12 into my MSIE browser and select that certificate 
 when prompted by the browser.
 
 I then used the following SSL related values in my SSL vhost:
 
 SSLEngine   on
 SSLCertificateFile  /home/dan/CA/demoCA/cacert.pem
 SSLCertificateKeyFile   /home/dan/CA/demoCA/private/cakey.key
 
 SSLCACertificatePath/home/dan/CA/demoCA/
 SSLCACertificateFile/home/dan/CA/demoCA/cacert.pem
 
 Location /securelocation
 SSLVerifyClient require
 SSLVerifyDepth  1
 /Location
 
 Note that I'm using the CA certificate and key for the SSL and the 
 SSLCA information.  Does that make sense?  I tried this:
 
 SSLCACertificatePath/home/dan/CA/
 SSLCACertificateFile/home/dan/CA/newcert.pem
 
 But if I use that combination, my browser certificate is not listed in the 
 Client Authentication dialog box presented by the browser when I go 
 to /securelocation.
 
 Why?  What have I misunderstood?

You should use three distinct certificates (and corresponding private keys):
* The CA certificate. You already have one, use it with SSLCACertificateFile
* The server's certificate. You don't have one by now. Create a new one
  signed from your CA. Issue it for CommonName (CN) being the FQDN
  (fully qualified domain name) of your server: Use it with
  mv newkey.pem server_key.pem
  mv newcert.pem server_cert.pem
  SSLCertificateFile /path/to/server_cert.pem
  SSLCertificateKeyFile /path/to/server_key.pem
* The client key. You already put it into iestuff.p12...

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Does this CA process make sense?

[Dan Langille]

I'm using the CA.pl script provided with openssl in order to create a CA 
and then produce a self-signed certificate.  I'm just looking for 
confirmation that I'm going through the correct steps and putting the 
right values into Apache.

All commands are issued from /home/dan/CA.  The Apache directives 
point at the files in question rather than their ultimate destination off 
somewhere else.  This is just for testing.  Kids, don't do this at home

perl CA.pl -newca
perl CA.pl -newreq
perl CA.pl -sign
openssl rsa  newreq.pem  newkey.pem

openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -out 
iestuff.p12

I imported iestuff.p12 into my MSIE browser and select that certificate 
when prompted by the browser.

I then used the following SSL related values in my SSL vhost:

SSLEngine   on
SSLCertificateFile  /home/dan/CA/demoCA/cacert.pem
SSLCertificateKeyFile   /home/dan/CA/demoCA/private/cakey.key

SSLCACertificatePath/home/dan/CA/demoCA/
SSLCACertificateFile/home/dan/CA/demoCA/cacert.pem

Location /securelocation
SSLVerifyClient require
SSLVerifyDepth  1
/Location

Note that I'm using the CA certificate and key for the SSL and the 
SSLCA information.  Does that make sense?  I tried this:

SSLCACertificatePath/home/dan/CA/
SSLCACertificateFile/home/dan/CA/newcert.pem

But if I use that combination, my browser certificate is not listed in the 
Client Authentication dialog box presented by the browser when I go 
to /securelocation.

Why?  What have I misunderstood?

thanks.

-- 
Dan Langille
pgpkey - finger [EMAIL PROTECTED] | http://unixathome.org/finger.php
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: SSLCertificateChain file for Intermediate CA

[Rajaram . Vasudev]

Hi Damon,
   Could you please put in the corrected part of your httpd.conf file - all
the directives that are relavant to SSL connections.
I am interested in looking at the corrected piece ( and commented pieces as
well).

Rajaram.


   

   

   To:  [EMAIL PROTECTED]

   cc: 

   Subject:Re: SSLCertificateChain 
file for Intermediate CA
   

  Damon Maria [EMAIL PROTECTED]   

05/22/01 08:42 PM  

Please respond to modssl-users 

   

  --+  





I think I've solved my problem and would just like to post the answer
for someone else's reference.

The offending line is:

  SSLProtocol -all +SSLv2

If I take that line out mod_ssl can load the certificate chain. I
presume there's a good reason for this (chains require SSLv3 at a
guess)?

SSLProtocol was originally added because we just couldn't get around
problems with MSIE 4.x connecting with SSL. Although it is a big hack,
the suggested SSL changes in the mod_ssl FAQ just didn't work for us.
I've since removed the SSLProtocol, added a SSL session cache and added
+eNULL to the end of the SSLCipherSuite. Now I'm just waiting to see if
MSIE 4.x users can still connect.

I've also recently seen talk of

  SSLRequire  %{SSL_CIPHER} = 128

solving the MSIE SGC bug. Has someone confirmed this to be true?

thanks for the help,
Damon.

 -- VirtualHost 
   ServerName www.motorweb.co.nz

   SSLEngine on

 # The following hopefully get around the MSIE 4.x and 5.0 SGC bug
 #  SSLCipherSuite
 ALL:!ADH:!EXPORT56:!SSLv3+EXP:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

 # The following defintely gets around the MSIE 4.x and 5.0 SGC bug but
   SSLProtocol -all +SSLv2
   SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP

   SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
   SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
 #  SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate_ca.crt

 # SSLLog /var/log/httpd/ssl_engine_log
 # SSLLogLevel debug

   SetEnvIf User-Agent .*MSIE.* \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0

   CustomLog /var/log/httpd/ssl_request_log \
 %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]




__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: SSLCertificateChain file for Intermediate CA

[Damon Maria]

[EMAIL PROTECTED] wrote:
 
 Hi Damon,
Could you please put in the corrected part of your httpd.conf file - all
 the directives that are relavant to SSL connections.

OK, this is for the site https://www.motorweb.co.nz.. Try it and you may
I say.

First off, I'm using a Verisign Global ID certificate (ie. SGC). 

What I have currently works with MSIE 5+ and NS 4.7 (haven't tried other
NS's). 

It does work with MSIE 4 but this version of IE doesn't like the Versign
Global certificate (it can't complete the chain) and therefore says it
doesn't trust our site. This is despite the fact that Verisign says the
Global ID's work with MSIE 4+, so I must still have something wrong. At
the bottom of this message is the ssl_engine_log of the server starting
up and MSIE 4.7 trying to connect. Can someone point out why the
intermediate_ca doesn't seem to get to IE? Is it because IE is
connecting with SSLv2?

Anyway, here's the relevant lines from my httpd.conf

--- httpd.conf ---

Listen 443

# SSL session cache is required to get around MSIE bugs
SSLSessionCache dbm:/var/log/httpd/ssl_cache
SSLSessionCacheTimeout 300

VirtualHost 210.55.172.141:443
  ServerName www.motorweb.co.nz

  SSLEngine on

  SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

  SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
  SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
  SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate-ca.crt
  SSLLog /var/log/httpd/ssl_engine_log
  SSLLogLevel trace

  SetEnvIf User-Agent .*MSIE.* \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

  CustomLog /var/log/httpd/ssl_request_log \
%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b

/VirtualHost

--- ssl_engine_log ---

Init: Loading certificate  private key of SSL-aware server
www.motorweb.co.nz:443
Init: (www.motorweb.co.nz:443) unencrypted RSA private key - pass phrase
not required
Init: Configuring server www.motorweb.co.nz:443 for SSL protocol
Init: (www.motorweb.co.nz:443) Creating new SSL context (protocols:
SSLv2, SSLv3, TLSv1)
Init: (www.motorweb.co.nz:443) Configuring permitted SSL ciphers
[ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
Init: (www.motorweb.co.nz:443) Configuring RSA server certificate
Init: (www.motorweb.co.nz:443) RSA server certificate enables Server
Gated Cryptography (SGC)
Init: (www.motorweb.co.nz:443) Configuring RSA server private key
Init: (www.motorweb.co.nz:443) Configuring server certificate chain (1
CA certificate)
Connection to child 2 established (server www.motorweb.co.nz:443, client
210.55.82.41)
Seeding PRNG with 0 bytes of entropy
OpenSSL: Handshake: start
OpenSSL: Loop: before/accept initialization
OpenSSL: Loop: SSLv2 read client hello A
OpenSSL: Loop: SSLv2 write server hello A
OpenSSL: Loop: SSLv2 read client master key A
OpenSSL: Loop: SSLv2 server start encryption
OpenSSL: Loop: SSLv2 write server verify A
OpenSSL: Loop: SSLv2 read client finished A
OpenSSL: Loop: SSLv2 write request certificate A
OpenSSL: Loop: SSLv2 write server finished A
Inter-Process Session Cache: request=SET status=OK
id=82EBC78C51D8403F32DA3EA9C62507DC timeout=299s (session caching)
OpenSSL: Handshake: done
Connection: Client IP: 210.55.82.41, Protocol: SSLv2, Cipher:
EXP-RC4-MD5 (40/128 bits)
Connection to child 2 closed with standard shutdown (server
www.motorweb.co.nz:443, client 210.55.82.41)
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: R: Cert signed by own CA and IE

[Diego Tartara]

Genkin.

I think I know what your problem is.
You must add the issuer of the certificate to the certificate chain. The
problem is that IE doesn't have the ROOT (isuuer) for the certificate and it
must have the entire chain to consider it trusted.
Place the issuer (I think Thpoon CA) to the certificate chain (usually
ca-bundle.pem) so mod_ssl has a way to offer the entire certification chain
to the browser.
Right now this is not happening as IE can not retrieve the ROOT certificate
from the sesion.

Hope it works, drop me a line

Diego

- Original Message -
From: Arcady Genkin [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, May 16, 2001 10:01 PM
Subject: Re: R: Cert signed by own CA and IE


 Andrea Cerrito [EMAIL PROTECTED] writes:

 Connecting to a secure site with a certificate signed by own CA,
IE
 seems to provide no obvious way of permanently adding the cert to
the
 browser's configuration.  As a result, a warning that The
security
 certificate is issued by a company you have not chosen to
trust... is
 displayed every time I'm trying to establish a connection.  Is
there a
 fool-proof way to permanently add a certificate or tell IE that
the CA
 is to be trusted?
   
Show Certificate / Install Certificate.
  
   I tried that, and it didn't work.  It told me that the certificate was
   installed successfully, but once I quit IE, restart it, and load the
   page again, it displays the same warning again.
  
   The minimal html page I'm experimenting with is at
https://www.thpoon.com
   If anyone would try to install the certificate from it in IE: maybe I
   did something wrong with configuration?
 
  I wasn't able to install it.  Can u print your conf?

 You mean from httpd.conf?  Since it's huge, I've posted it at

   http://www.thpoon.com/tmp/httpd.conf

 rather than sending to the list.  The SSL-related stuff is at the
 bottom of it.

 Thanks!

 p.s.  This is a repost, since I have replied from a different email
 address than the one I've subscribed from and I'm afraid that it
 didn't come through.  Sorry if this is a dupe.
 --
 Arcady Genkin
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

R: R: Cert signed by own CA and IE

[Andrea Cerrito]

Sorry for delay, I was on beach... :)
I saw you solved your problem. Great.
---
Cordiali saluti / Best regards
Andrea Cerrito
^^
Net.Admin @ Centro MultiMediale di Terni S.p.A.
P.zzale Bosco 3A
05100 Terni IT
Tel. +39 744 5441330
Fax. +39 744 5441372

 -Messaggio originale-
 Da: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]]Per conto di Paul-Catalin Oros
 Inviato: venerdi 18 maggio 2001 17.59
 A: [EMAIL PROTECTED]
 Oggetto: Re: R: Cert signed by own CA and IE


 Hi Arcady!

 Have you solved your problem? I wasw able to install your
 Certificate, after I installed your self-signed CA certificate.
 Is it possible this to be the missing step in your testing? The
 CA cert has to be added to your root auth., then you'll be able
 to install the actual server certificate.

 Hope this help,

 Paul

 PS: I am using IE 5.0

 On Wed, 16 May 2001, Arcady Genkin wrote:

  Andrea Cerrito [EMAIL PROTECTED] writes:
 
  Connecting to a secure site with a certificate signed
 by own CA, IE
  seems to provide no obvious way of permanently adding
 the cert to the
  browser's configuration.  As a result, a warning that
 The security
  certificate is issued by a company you have not chosen
 to trust... is
  displayed every time I'm trying to establish a
 connection.  Is there a
  fool-proof way to permanently add a certificate or tell
 IE that the CA
  is to be trusted?

 Show Certificate / Install Certificate.
   
I tried that, and it didn't work.  It told me that the
 certificate was
installed successfully, but once I quit IE, restart it, and load the
page again, it displays the same warning again.
   
The minimal html page I'm experimenting with is at
https://www.thpoon.com
   If anyone would try to install the certificate from it in IE: maybe I
   did something wrong with configuration?
 
  I wasn't able to install it.  Can u print your conf?

 You mean from httpd.conf?  Since it's huge, I've posted it at

   http://www.thpoon.com/tmp/httpd.conf

 rather than sending to the list.  The SSL-related stuff is at the
 bottom of it.

 Thanks!

 p.s.  This is a repost, since I have replied from a different email
 address than the one I've subscribed from and I'm afraid that it
 didn't come through.  Sorry if this is a dupe.
 --
 Arcady Genkin
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]

--
Bills travel through the mail at twice the speed of checks

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: SSLCertificateChain file for Intermediate CA

[Damon Maria]

 Without going through mod_ssl's source: did you try to put the complete
 chain into the ChainFile? 

Tried this, but it didn't make any difference.

 With respect to the error message, mod_ssl can write more messages
 than that into e.g. an ssl_engine_log. Did you check all possible
 logfiles?

I've checked, even with SSLLogLevel debug I couldn't get anymore out of
it.

I've since looked through the mod_ssl source and if there is any kind of
error while trying to load the ChainFile then the generic Failed to
configure CA certificate chain! messge is produced. Not very helpful
really since there are many possibilities.

I have also tried using SSLCACertificateFile instead of and in
conjunction with SSLCertificateChainFile. This was described at
http://www.verisign.com/support/tlc/class3_install_docs/ssleay/v00g.html
as the instructions for ApacheSSL rather than mod_ssl. If used instead
of SSLCertificateChainFile no init errors happen and the following is
reported in ssl_engine_log:

[20/May/2001 15:10:19 11541] [trace] Init: (www.motorweb.co.nz:443)
Configuring client authentication
[20/May/2001 15:10:19 11541] [trace] CA certificate: /O=VeriSign Trust
Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class
3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign

So it appears there is nothing wrong with my Intermediate Certificate
(since that's what the trace is outputing) or Apache's ability to read
it. Why oh why then doesn't it work with SSLCertificateChainFile,
agh!

Thanks for the help and suggestions, but I'm still stuck.

One thing I haven't mentioned previously is that I'm running Apache
1.3.12 and mod_ssl 2.6. But I presume there shouldn't be a problem with
either of these versions.

regards,
Damon.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: SSLCertificateChain file for Intermediate CA

[Juha Saarinen]

On Sun, 20 May 2001, Damon Maria wrote:

 One thing I haven't mentioned previously is that I'm running Apache
 1.3.12 and mod_ssl 2.6. But I presume there shouldn't be a problem with
 either of these versions.

Well... Can't hurt to upgrade, can it? I'm running Apache 1.3.19 with
mod_ssl 2.8.1-1.6.0 (weird versioning courtesy of the RPM packager), and
it uses the SSLCertificateChain thang without problems.

-- 
Regards,


Juha

PGP fingerprint:
B7E1 CC52 5FCA 9756 B502  10C8 4CD8 B066 12F3 9544

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: SSLCertificateChain file for Intermediate CA

[Damon Maria]

Juha Saarinen wrote:
 
 On Sun, 20 May 2001, Damon Maria wrote:
 
  One thing I haven't mentioned previously is that I'm running Apache
  1.3.12 and mod_ssl 2.6. But I presume there shouldn't be a problem with
  either of these versions.
 
 Well... Can't hurt to upgrade, can it? I'm running Apache 1.3.19 with
 mod_ssl 2.8.1-1.6.0 (weird versioning courtesy of the RPM packager), and
 it uses the SSLCertificateChain thang without problems.

I may as well, I'm running out of other options. 

thanks again for the help,
Damon.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: SSLCertificateChain file for Intermediate CA

[Lutz Jaenicke]

On Fri, May 18, 2001 at 11:58:02AM +1200, Damon Maria wrote:
 Since I haven't gotten too much of a response yet (expect for thanks to
 Juha) I'll post my VirtualHost in httpd.conf, which I probably should
 have done in the first place.
 
 If I uncomment the SSLCertificateChainFile line then the following
 appears in the log and apache won't start...
 
 [error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA
 certificate chain!
 
 I've copied my original message at the bottom of this one which contains
 the contents of /etc/httpd/conf/ssl.crt/intermediate_ca.crt (as I got it
 from Verisign's site).

Without going through mod_ssl's source: did you try to put the complete
chain into the ChainFile? The server cert is in its own file. For my
server (www.aet.tu-cottbus.de) I have an intermediate and a root CA
certificate. Both are concatenated together into the chain file.

With respect to the error message, mod_ssl can write more messages
than that into e.g. an ssl_engine_log. Did you check all possible
logfiles?

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

AW: SSLCertificateChain file for Intermediate CA

[Henning von Bargen]

Lutz, when I try to access your site
with Internet Explorer 5.5,
IE tells me that it cannot verify the certificate.
German error message is:
Das Zertifikat wurde von einer Firma ausgestellt,
die Sie nicht als vertrauenswürdig eingestuft haben.
Untersuchen Sie das Zertifikat um festzustellen, 
ob Sie der ausstellenden Institution vertrauen möchten.

 -Ursprüngliche Nachricht-
 Von:  Lutz Jaenicke [SMTP:[EMAIL PROTECTED]]
 Gesendet am:  Freitag, 18. Mai 2001 10:50
 An:   [EMAIL PROTECTED]
 Betreff:  Re: SSLCertificateChain file for Intermediate CA
 
 On Fri, May 18, 2001 at 11:58:02AM +1200, Damon Maria wrote:
  Since I haven't gotten too much of a response yet (expect for thanks to
  Juha) I'll post my VirtualHost in httpd.conf, which I probably should
  have done in the first place.
  
  If I uncomment the SSLCertificateChainFile line then the following
  appears in the log and apache won't start...
  
  [error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA
  certificate chain!
  
  I've copied my original message at the bottom of this one which contains
  the contents of /etc/httpd/conf/ssl.crt/intermediate_ca.crt (as I got it
  from Verisign's site).
 
 Without going through mod_ssl's source: did you try to put the complete
 chain into the ChainFile? The server cert is in its own file. For my
 server (www.aet.tu-cottbus.de) I have an intermediate and a root CA
 certificate. Both are concatenated together into the chain file.
 
 With respect to the error message, mod_ssl can write more messages
 than that into e.g. an ssl_engine_log. Did you check all possible
 logfiles?
 
 Best regards,
   Lutz
 -- 
 Lutz Jaenicke [EMAIL PROTECTED]
 BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
 Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
 Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: SSLCertificateChain file for Intermediate CA

[Lutz Jaenicke]

On Fri, May 18, 2001 at 01:21:31PM +0200, Henning von Bargen wrote:
 Lutz, when I try to access your site
 with Internet Explorer 5.5,
 IE tells me that it cannot verify the certificate.
 German error message is:
 Das Zertifikat wurde von einer Firma ausgestellt,
 die Sie nicht als vertrauenswürdig eingestuft haben.
 Untersuchen Sie das Zertifikat um festzustellen, 
 ob Sie der ausstellenden Institution vertrauen möchten.

Yes, that is true. Our certificate was issued by our university's
computer center (intermediate CA) and the root CA is the DFN
(german research network, the provider for the german universities
and scientific institutions).

emws1 26: openssl s_client -connect www.aet.tu-cottbus.de:443
CONNECTED(0003)
depth=2 /C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification 
[EMAIL PROTECTED]
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet 
Cottbus/OU=Allgemeine Elektrotechnik und Numerische 
[EMAIL PROTECTED]
   i:/C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet 
[EMAIL PROTECTED]
 1 s:/C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet 
[EMAIL PROTECTED]
   i:/C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification 
[EMAIL PROTECTED]
 2 s:/C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification 
[EMAIL PROTECTED]
   i:/C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification 
[EMAIL PROTECTED]

The message IE shows is due to the fact, that DFN-PCA is not part of the
standard CA bundle.
When you import the DFN-PCA certificate, the problem will go away:
  http://www.pca.dfn.de/dfnpca/certify/ssl/pca-key.html
(I also have not initialized the trusted CA storage for openssl s_client,
which correspondingly complains about self signed certificate in
certificate chain).

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: R: Cert signed by own CA and IE

[Paul-Catalin Oros]

Hi Arcady!

Have you solved your problem? I wasw able to install your Certificate, after I 
installed your self-signed CA certificate. Is it possible this to be the missing step 
in your testing? The CA cert has to be added to your root auth., then you'll be able 
to install the actual server certificate.

Hope this help,

Paul

PS: I am using IE 5.0

On Wed, 16 May 2001, Arcady Genkin wrote:

 Andrea Cerrito [EMAIL PROTECTED] writes:
 
 Connecting to a secure site with a certificate signed by own CA, IE
 seems to provide no obvious way of permanently adding the cert to the
 browser's configuration.  As a result, a warning that The security
 certificate is issued by a company you have not chosen to trust... is
 displayed every time I'm trying to establish a connection.  Is there a
 fool-proof way to permanently add a certificate or tell IE that the CA
 is to be trusted?
   
Show Certificate / Install Certificate.
  
   I tried that, and it didn't work.  It told me that the certificate was
   installed successfully, but once I quit IE, restart it, and load the
   page again, it displays the same warning again.
  
   The minimal html page I'm experimenting with is at https://www.thpoon.com
   If anyone would try to install the certificate from it in IE: maybe I
   did something wrong with configuration?
  
  I wasn't able to install it.  Can u print your conf?
 
 You mean from httpd.conf?  Since it's huge, I've posted it at
 
   http://www.thpoon.com/tmp/httpd.conf
 
 rather than sending to the list.  The SSL-related stuff is at the
 bottom of it.
 
 Thanks!
 
 p.s.  This is a repost, since I have replied from a different email
 address than the one I've subscribed from and I'm afraid that it
 didn't come through.  Sorry if this is a dupe.
 -- 
 Arcady Genkin
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]

-- 
Bills travel through the mail at twice the speed of checks 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: R: Cert signed by own CA and IE

[Arcady Genkin]

Paul-Catalin Oros [EMAIL PROTECTED] writes:

 Have you solved your problem? I wasw able to install your
 Certificate, after I installed your self-signed CA certificate. Is
 it possible this to be the missing step in your testing? The CA cert
 has to be added to your root auth., then you'll be able to install
 the actual server certificate.

Yes, it seems that I have solved the problem by pointing
SSLCertificateChainFile to my ca.crt, with off-list help from another
list member.  It now works fine.

In my opinion the easiest way of configuring IE to access sites with
sertificates singed by own CAs is to put the CA's certificate in a URL
and let the users click on it: the browser will pop up a dialogue to
install a new root authority cert, and after that all is done.

Thanks,
-- 
Arcady Genkin
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Being one's own CA for a University computer lab

[Jan Dries]

Arcady Genkin wrote:
 
 The documentation states that being one's own CA is insecure in the
 Internet environment, while is acceptable on the intra-net.  Could
 anyone explain the issues implied by that statement?

SSL is not less secure if you are your own CA, at least from a technical
point of view. 
But the problem is that a CA is supposed to be a mutually trusted
neutral third party, that can guarantee to the server that the client is
who it says it is, and to the client that the server is who it says it
is. 
If you are your own CA, chances are no one on the internet is going to
trust you.
In your situation though, I think it's of little or no importance. 

 
 Also, to what extent is the user inconvenienced by an SSL site using
 certificate signed by a non-well-known authority?  Are the browsers
 cooperative when it comes to adding such an authority to the list of
 known CAs?

I wouldn't count on Netscape or Microsoft to include your university's
self signed root CA certificate :-)
Still, that's not really a problem. The only inconvenience is that
clients will have to explicitely import you own root CA certificate just
once.

 
 We are planning on setting up a secure site for a university's
 computer lab for the instructors and students to use.  So, the context
 is non-commercial environment where the users can trust us to provide
 valid certificates.  They'll be connecting both via the local network
 and the Internet, though, and we'd like to know what we are risking by
 going the way of being our own CA.

From what you tell, I'd say being your own CA is a very good solution.

Regards,
Jan
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: SSLCertificateChain file for Intermediate CA

[Damon Maria]

 I presume you're not trying to explicitly construct the server certificate
 chain that is being sent to the browser, together with the actual server
 cert?

This is what I'm trying to do. I'm trying to send all the certificates
in the chain (expect the root) to the browser. This includes my server
certificate and the intermediate certificate. 

If you try https://www.motorweb.co.nz/ in IE (I'm using 5.0) and click
on the padlock, look at the Certification Path. You'll see there is the
Primary CA, the www.verisign.com Intermediate CA and then the
www.motorweb.co.nz certificate. IE contains the Primary and Intermediate
CA and so works fine. Other browsers don't contain the Intermediate CA
and so can't complete the chain. 

I need to get mod_ssl to serve up the Intermediate CA, and that's what
SSLCertificateChainFile is supposed to do. But adding that into
httpd.conf causes mod_ssl to die on startup: Failed to configure CA
certificate chain!

regards,
Damon.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: SSLCertificateChain file for Intermediate CA

[Damon Maria]

Since I haven't gotten too much of a response yet (expect for thanks to
Juha) I'll post my VirtualHost in httpd.conf, which I probably should
have done in the first place.

If I uncomment the SSLCertificateChainFile line then the following
appears in the log and apache won't start...

[error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA
certificate chain!

I've copied my original message at the bottom of this one which contains
the contents of /etc/httpd/conf/ssl.crt/intermediate_ca.crt (as I got it
from Verisign's site).

I've seen this solution to the Global ID Intermediate CA problem
documented all over the web, but can't get it to work. There must be
somethng obviously wrong with what I've done. 

yours in desperation,
Damon.


-- VirtualHost 
  ServerName www.motorweb.co.nz

  SSLEngine on

# The following hopefully get around the MSIE 4.x and 5.0 SGC bug
#  SSLCipherSuite
ALL:!ADH:!EXPORT56:!SSLv3+EXP:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

# The following defintely gets around the MSIE 4.x and 5.0 SGC bug but
  SSLProtocol -all +SSLv2
  SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP

  SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
  SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
#  SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate_ca.crt

# SSLLog /var/log/httpd/ssl_engine_log
# SSLLogLevel debug

  SetEnvIf User-Agent .*MSIE.* \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

  CustomLog /var/log/httpd/ssl_request_log \
%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b


 Original Message 
Subject: SSLCertificateChain file for Intermediate CA
Date: Thu, 17 May 2001 15:47:46 +1200
From: Damon Maria [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]

I'm using a Verisign Global ID and therefore need to configure modssl to
serve up the Intermediate CA. I've followed the various instructions
I've found for this but with no success.

I downloaded the Intermediate CA and saved it under intermediate_ca.crt
(I've listed it at the bottom of this message). I then added...

SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate_ca.crt

into my VirtualHost next to all the other SSL* settings. But if I start
Apache with this setting it reports...

[error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA
certificate chain!

I've tried SSLLogLevel debug but this doesn't produce any more
information.

I've been trying for ages and am getting desperate, can someone help me
out.

thanks in advance,
Damon Maria.

-BEGIN CERTIFICATE-
MIIEMTCCA5qgAwIBAgIQI2yXHivGDQv5dGDe8QjDwzANBgkqhkiG9w0BAQIFADBfMQswCQYD
VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVi
bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTcwNDE3MDAwMDAwWhcN
MDQwMTA3MjM1OTU5WjCBujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUG
A1UECxMOVmVyaVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwg
U2VydmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMgSW5j
b3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEA2IKA6NYZAn0fhRg5JaJlK+G/1AXTvOY2O6rwTGxbtueqPHNFVbLx
veqXQu2aNAoV1Klc9UAl3dkHwTKydWzEyruj/lYncUOqY/UwPpMo5frxCTvzt01OOfdcSVq4
wR3Tsor+cDCVQsv+K1GLWjw6+SJPkLICp1OcTzTnqwSye28CAwEAAaOCAZAwggGMMA8GA1Ud
EwQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjAgBgNVHSUEGTAX
BgpghkgBhvhFAQgBBglghkgBhvhCBAEwggE1BgNVHSAEggEsMIIBKDCCASQGC2CGSAGG+EUB
BwEBMIIBEzAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzCB5gYI
KwYBBQUHAgIwgdkwFRYOVmVyaVNpZ24sIEluYy4wAwIBARqBv1ZlcmlTaWduJ3MgQ2VydGlm
aWNhdGlvbiBQcmFjdGljZSBTdGF0ZW1lbnQsIHd3dy52ZXJpc2lnbi5jb20vQ1BTLCBnb3Zl
cm5zIHRoaXMgY2VydGlmaWNhdGUgJiBpcyBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJlbmNlIGhl
cmVpbi4gU09NRSBXQVJSQU5USUVTIERJU0NMQUlNRUQgJiBMSUFCSUxJVFkgTFRELiAoYykx
OTk3IFZlcmlTaWduMA0GCSqGSIb3DQEBAgUAA4GBALiMmMMrSPVyzWgNGrN0Y7uxWLaYRSLs
EY3HTjOLYlohJGyawEK0Rak6+2fwkb4YH9VIGZNrjcs3S4bmfZv9jHiZ/4PC/NlVBp4xZkZ9
G3hg9FXUbFXIaWJwfE22iQYFm8hDjswMKNXRjM1GUOMxlmaSESQeSltLZl5lVR5fN5qu
-END CERTIFICATE-
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]