Re: Can i use CA signed cert to create client authentication certificates ?
Hi, Asking every time does make it complicated. I can't remember if the firefox default is to ask or auto supply (and it has changed behavior between 1/2/3 AFAIK), I have it as ask every time. Anyway the ask every time FF behavior isn't very nice for users (auto supply is probably fine for most users). FF will also ask for a cert every session ID change. As you know there isn't an ask once option, which would be very nice. I don't think there is much that can be done to fix it other than coding up an ask once option in FF (which I haven't got the time to do :( ). Anyway you may also want to use/need the SSLOptions +OptRenegotiate if you have portions of the site that do and don't require client certs. It can help greatly with IE. Sometimes IE goes a little funny and renegotiates sessions all the time going from non-client cert to client cert areas. Regards Matt - Original Message From: Jan Stian Gabrielli [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Thursday, September 25, 2008 9:37:00 AM Subject: Re: Can i use CA signed cert to create client authentication certificates ? Thank you very much Matt . That solved it :). I now have Client Certificate Authentication working with a CA signed certificate and a Self Signed CA which in turn signs client certs. If i can only ask for a bit more advice regarding this setup ?. Although I think this problem might be Firefox specific I'm hoping for some advice here. Internet Explorer handles the client certificates fine, prompts me to select certificate on connection to the site and basically just works after that.. But when Firefox is set to Ask me every time instead of auto select client certificate I keep getting the select certificate pop up several(multiple) times per page request/load from the SSL secured Apache server. There is only one certificate in the select from dialog, but it keeps prompting me and I can see it loading one and one item(image) on the website. If i switch to Auto select certificate it works. But it would be nice not having the browser present the certificate without it being the users choice. And honestly, choosing it once per session per site should be sufficient I should probably mention that the page served up is behind a mod_proxy module. But this content should not differ for Firefox, and certificate selection. Or does the mod_ssl module prompt for a client certificate for each item loaded ? I have googled this but can't find any good answers. Some say it is because of image objects loading. but why. Best regards Jan Stian Gabrielli Original Message --- Hi, Basically... SSLCACertificateFile SelfSignedCA Root Cert (public part) SSLVerifyClient require or optional SSLVerifyDepth 1 (default) and have the setup from the Thwate cert as per normal for the server cert. Regards Matt - Original Message From: Jan Stian Gabrielli [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Tuesday, September 23, 2008 1:39:16 PM Subject: Re: Can i use CA signed cert to create client authentication certificates ? Ok. This seems like a viable solution. Ie. I use an approved CA signed cert to verify the site auhtentisity, and i use a selfsigned CA root for client certificates. Can you point me in a direction of how i make this work in apache ?. I already have a setup with a Selfsigned CA working for client certificates. Createed SelfSignedCA |--Create and Sign Apache Cert from SelfSigned CA |--Create and Sign Client Cert from SelfSigned CA How do I incorporate this with a CA (thawte) signed webserver certificate ?. Best regards Wizkidnono Original Message --- Sounds like your trying to use the thawte apache cert to sign your client certs? The thawte cert won't have the right attributes to sign a client cert and then try to use it. You could use your CA for client certs and Thawte for the server cert. Regards Matt - Original Message From: Jan Stian Gabrielli [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Monday, September 22, 2008 7:54:37 PM Subject: Can i use CA signed cert to create client authentication certificates ? I am trying to set up apache with mod_ssl , and I have it working with a Self Signed CA. But i can not get it to work with a cert created by thawte.com. Does anyone know if it is possible to do this with a crt signed by a third party where one does not have access to their root ca key ?.. Ie. I have generated a : apache_server.key made a apache_server..csr and sent this for signing by thawte.com Recived a apache_server.crt Created a client.key and a client.csr Signed it with my apache_server.key and apache_server.crt Converted the client.key,crt to a pkcs12 file and imported this into my browser but i can not make things work. SSL works fine on the server on pages that does not require SSL client auth. A I stated earlier, IT works when I create and self sign a CA, but I cant make it work when I use
Re: Can i use CA signed cert to create client authentication certificates ?
Thank you very much Matt . That solved it :). I now have Client Certificate Authentication working with a CA signed certificate and a Self Signed CA which in turn signs client certs. If i can only ask for a bit more advice regarding this setup ?. Although I think this problem might be Firefox specific I'm hoping for some advice here. Internet Explorer handles the client certificates fine, prompts me to select certificate on connection to the site and basically just works after that.. But when Firefox is set to Ask me every time instead of auto select client certificate I keep getting the select certificate pop up several(multiple) times per page request/load from the SSL secured Apache server. There is only one certificate in the select from dialog, but it keeps prompting me and I can see it loading one and one item(image) on the website. If i switch to Auto select certificate it works. But it would be nice not having the browser present the certificate without it being the users choice. And honestly, choosing it once per session per site should be sufficient I should probably mention that the page served up is behind a mod_proxy module. But this content should not differ for Firefox, and certificate selection. Or does the mod_ssl module prompt for a client certificate for each item loaded ? I have googled this but can't find any good answers. Some say it is because of image objects loading. but why. Best regards Jan Stian Gabrielli Original Message --- Hi, Basically... SSLCACertificateFile SelfSignedCA Root Cert (public part) SSLVerifyClient require or optional SSLVerifyDepth 1 (default) and have the setup from the Thwate cert as per normal for the server cert. Regards Matt - Original Message From: Jan Stian Gabrielli [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Tuesday, September 23, 2008 1:39:16 PM Subject: Re: Can i use CA signed cert to create client authentication certificates ? Ok. This seems like a viable solution. Ie. I use an approved CA signed cert to verify the site auhtentisity, and i use a selfsigned CA root for client certificates. Can you point me in a direction of how i make this work in apache ?. I already have a setup with a Selfsigned CA working for client certificates. Createed SelfSignedCA |--Create and Sign Apache Cert from SelfSigned CA |--Create and Sign Client Cert from SelfSigned CA How do I incorporate this with a CA (thawte) signed webserver certificate ?. Best regards Wizkidnono Original Message --- Sounds like your trying to use the thawte apache cert to sign your client certs? The thawte cert won't have the right attributes to sign a client cert and then try to use it. You could use your CA for client certs and Thawte for the server cert. Regards Matt - Original Message From: Jan Stian Gabrielli [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Monday, September 22, 2008 7:54:37 PM Subject: Can i use CA signed cert to create client authentication certificates ? I am trying to set up apache with mod_ssl , and I have it working with a Self Signed CA. But i can not get it to work with a cert created by thawte.com. Does anyone know if it is possible to do this with a crt signed by a third party where one does not have access to their root ca key ?.. Ie. I have generated a : apache_server.key made a apache_server..csr and sent this for signing by thawte.com Recived a apache_server.crt Created a client.key and a client.csr Signed it with my apache_server.key and apache_server.crt Converted the client.key,crt to a pkcs12 file and imported this into my browser but i can not make things work. SSL works fine on the server on pages that does not require SSL client auth. A I stated earlier, IT works when I create and self sign a CA, but I cant make it work when I use a 3rd party CA and only have apache_server.key, apache_server.crt , thawte root cert. Best regards Wizkidnono –œ…â'µêßiÇ ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à .+-š‡l²[¬z»¡Û,–Šà ëh™«^t¸¬´Æ§j«™¨èÂÚ¢j²Éh® __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] –œ…â'µêßiÇ ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à.+-š‡l²[¬z»¡Û,–Šàëh™«^t¸¬´Æ§j«™¨èÚ¢j²Éh® __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Can i use CA signed cert to create client authentication certificates ?
Ok. This seems like a viable solution. Ie. I use an approved CA signed cert to verify the site auhtentisity, and i use a selfsigned CA root for client certificates. Can you point me in a direction of how i make this work in apache ?. I already have a setup with a Selfsigned CA working for client certificates. Createed SelfSignedCA |--Create and Sign Apache Cert from SelfSigned CA |--Create and Sign Client Cert from SelfSigned CA How do I incorporate this with a CA (thawte) signed webserver certificate ?. Best regards Wizkidnono Original Message --- Sounds like your trying to use the thawte apache cert to sign your client certs? The thawte cert won't have the right attributes to sign a client cert and then try to use it. You could use your CA for client certs and Thawte for the server cert. Regards Matt - Original Message From: Jan Stian Gabrielli [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Monday, September 22, 2008 7:54:37 PM Subject: Can i use CA signed cert to create client authentication certificates ? I am trying to set up apache with mod_ssl , and I have it working with a Self Signed CA. But i can not get it to work with a cert created by thawte.com. Does anyone know if it is possible to do this with a crt signed by a third party where one does not have access to their root ca key ?.. Ie. I have generated a : apache_server.key made a apache_server..csr and sent this for signing by thawte.com Recived a apache_server.crt Created a client.key and a client.csr Signed it with my apache_server.key and apache_server.crt Converted the client.key,crt to a pkcs12 file and imported this into my browser but i can not make things work. SSL works fine on the server on pages that does not require SSL client auth. A I stated earlier, IT works when I create and self sign a CA, but I cant make it work when I use a 3rd party CA and only have apache_server.key, apache_server.crt , thawte root cert. Best regards Wizkidnono –œ…â'µêßiÇ ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à.+-š‡l²[¬z»¡Û,–Šàëh™«^t¸¬´Æ§j«™¨èÚ¢j²Éh® __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] '���iǭ��^�$���l�\0�j��h�,z+�Ƣ�)�.+-��l�[�z���,����h��^t���Ƨj���j��h�
Can i use CA signed cert to create client authentication certificates ?
I am trying to set up apache with mod_ssl , and I have it working with a Self Signed CA. But i can not get it to work with a cert created by thawte.com. Does anyone know if it is possible to do this with a crt signed by a third party where one does not have access to their root ca key ?. Ie. I have generated a : apache_server.key made a apache_server.csr and sent this for signing by thawte.com Recived a apache_server.crt Created a client.key and a client.csr Signed it with my apache_server.key and apache_server.crt Converted the client.key,crt to a pkcs12 file and imported this into my browser but i can not make things work. SSL works fine on the server on pages that does not require SSL client auth. A I stated earlier, IT works when I create and self sign a CA, but I cant make it work when I use a 3rd party CA and only have apache_server.key, apache_server.crt , thawte root cert. Best regards Wizkidnono â'µêßiÇ ê^$l²\0Âj²Éh®,z´®¦+´Æ¢)à.+-l²[¬z»¡Û,àëh«^t¸¬´Æ§j«¨èÚ¢j²Éh®
Re: Can i use CA signed cert to create client authentication certificates ?
Sounds like your trying to use the thawte apache cert to sign your client certs? The thawte cert won't have the right attributes to sign a client cert and then try to use it. You could use your CA for client certs and Thawte for the server cert. Regards Matt - Original Message From: Jan Stian Gabrielli [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Monday, September 22, 2008 7:54:37 PM Subject: Can i use CA signed cert to create client authentication certificates ? I am trying to set up apache with mod_ssl , and I have it working with a Self Signed CA. But i can not get it to work with a cert created by thawte.com. Does anyone know if it is possible to do this with a crt signed by a third party where one does not have access to their root ca key ?. Ie. I have generated a : apache_server.key made a apache_server.csr and sent this for signing by thawte.com Recived a apache_server.crt Created a client.key and a client.csr Signed it with my apache_server.key and apache_server.crt Converted the client.key,crt to a pkcs12 file and imported this into my browser but i can not make things work. SSL works fine on the server on pages that does not require SSL client auth. A I stated earlier, IT works when I create and self sign a CA, but I cant make it work when I use a 3rd party CA and only have apache_server.key, apache_server.crt , thawte root cert. Best regards Wizkidnono –œ…â'µêßiÇ ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à.+-š‡l²[¬z»¡Û,–Šàëh™«^t¸¬´Æ§j«™¨èÚ¢j²Éh® __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Problems with CA-Certifcates
Hello, i have got 2 problems with my Apache using mod_ssl and authentification with client-certificates. 1. When the Apache is running and i copy a new pem-encoded CA-Certificate in the specified directory (SSLCACertifcatePath) and create the symbolic hash-link, no client is able to connect with the website with his Client-Certificate issued by the copied CA until i restart the Server. Is this a Bug? Or is there any way to actualise the CA-Certificates without a restart? 2. The Number of CA-Certificates seems to be limited at ~250. When i use too many CA-Certificates in the Directory (SSLCACertifcatePath) the SSL-Message from the Server to the Client is malformed and no Client can connect. Is this also a Bug? Dont ask me, why i need more than 250 CA-Certificates. Its for a Masterthesis. _ Haben Spinnen Ohren? Finden Sie es heraus mit dem MSN Suche Superquiz via http://www.msn-superquiz.de Jetzt mitmachen und gewinnen! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: Problems with CA-Certifcates
1. I believe the server reads the CA cert into memory at startup for a couple of reasons: to prevent unnecessary disk access, and probably as a security measure as well. If your cert is password protected, you might want an admin to type it in and startup is the perfect time to do it. 2. Maybe it is a # of files limitation? If I'm not mistaken, you can have more than one certificate in a PEM file. Maybe try to combine them. Rich __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: Problems with CA-Certifcates
Looking at the SSL 3.0 spec at http://wp.netscape.com/eng/ssl3/draft302.txt, there appears to be a size limit for the list of CA distinguished names .. struct { CertificateType certificate_types1..2^8-1; DistinguishedName certificate_authorities3..2^16-1; } CertificateRequest; If I interpret the spec correctly, this means 3 - 65535 bytes of data available for the list of DNs (someone please correct me if I am wrong). Perhaps you are hitting this limit. Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keller Kind Sent: Thursday, May 17, 2007 10:30 AM To: modssl-users@modssl.org Subject: Re: Problems with CA-Certifcates 2. Yes i know, that i can have more than one certificate in a PEM-file. That is used for the SSLCACertificateFile Option. But this didnt solve the problem. There is no difference between having more than 250 single certificate files or one file with 250 certificates. In the SSL-Handshake the Server sends to the Client, which CAs he accepts. This Massage seems to be malformed when there are too many CAs. Any Ideas...? Fought, Richard schrieb: 1. I believe the server reads the CA cert into memory at startup for a couple of reasons: to prevent unnecessary disk access, and probably as a security measure as well. If your cert is password protected, you might want an admin to type it in and startup is the perfect time to do it. 2. Maybe it is a # of files limitation? If I'm not mistaken, you can have more than one certificate in a PEM file. Maybe try to combine them. Rich __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] _ Sie suchen E-Mails, Dokumente oder Fotos? Die neue MSN Suche Toolbar mit Windows-Desktopsuche liefert in sekundenschnelle Ergebnisse. Jetzt neu! http://desktop.msn.de/ Jetzt gratis downloaden! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
updating ca-bundle.crt
There was some discussion on modssl-users a while back on this topic; we had some concerns about extracting ca-bundle.crt directly from the Mozilla CA list sources. But after discussing this with Frank Hecker and some others there is agreement that there are no licensing issues here really. So, attached is a Perl script which regenerates ca-bundle.crt directly from the Mozilla certdata.txt: Ralf, feel free to include this in mod_ssl or just update the mod_ssl ca-bundle.crt using it ;) joe #!/usr/bin/perl -w # # Used to regenerate ca-bundle.crt from the Mozilla certdata.txt. # Run as ./mkcabundle.pl ca-bundle.crt # my $cvsroot = ':pserver:[EMAIL PROTECTED]:/cvsroot'; my $certdata = 'mozilla/security/nss/lib/ckfw/builtins/certdata.txt'; open(IN, cvs -d $cvsroot co -p $certdata|) || die could not check out certdata.txt; my $incert = 0; printEOH; # This is a bundle of X.509 certificates of public Certificate # Authorities. It was generated from the Mozilla root CA list. # # Source: $certdata # EOH while (IN) { if (/^CKA_VALUE MULTILINE_OCTAL/) { $incert = 1; open(OUT, |openssl x509 -text -inform DER -fingerprint) || die could not pipe to openssl x509; } elsif (/^END/ $incert) { close(OUT); $incert = 0; print \n\n; } elsif ($incert) { my @bs = split(/\\/); foreach my $b (@bs) { chomp $b; printf(OUT %c, oct($b)) unless $b eq ''; } } elsif (/^CVS_ID.*Revision: ([^ ]*).*/) { print # Generated from certdata.txt RCS revision $1\n#\n; } }
Again: License of ca-bundle.crt
Hello, I am packaging sole ca-bundle.crt for Fink. http://sourceforge.net/tracker/index.php?func=detailaid=928157group_id=17203atid=414256 Fink package system has License field. I must fill it. What is the license of sole ca-bundle.crt? Mod_ssl license? Or nothing like license? I sent before but no response except vacation. Before clarifying it I can't take any action. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Again: License of ca-bundle.crt
On Thu, Jun 17, 2004 at 05:09:31AM +0900, AIDA Shinra wrote: Hello, I am packaging sole ca-bundle.crt for Fink. http://sourceforge.net/tracker/index.php?func=detailaid=928157group_id=17203atid=414256 Fink package system has License field. I must fill it. What is the license of sole ca-bundle.crt? Mod_ssl license? Or nothing like license? It's a tricky legal question, I think. The original source of the ca-bundle.crt was a database shipped with the Netscape browser. It's possible to derive a new ca-bundle.crt from the Mozilla source code, which is what Debian do in their ca-certificates package. Debian say that the resultant CA certificate bundle is licensed under the MPL, as its source in Mozilla is. But can a database be copyrighted? Can a database made up of copies of necessarily-public CA certificates published by third parties be copyrighted? It is somewhat lacking in originality, which is one of the requirements for US copyright law to apply, at least. You may be better of asking a lawyer, unfortunately! joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
License of ca-bundle.crt
Hello, I am packaging sole ca-bundle.crt for Fink. http://sourceforge.net/tracker/index.php?func=detailaid=928157group_id=17203atid=414256 Fink package system has License field. I must fill it. What is the license of sole ca-bundle.crt? Mod_ssl license? Or nothing like license? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
License of ca-bundle.crt
I am away on paternity leave for the next few days. Please contact OLSU if urgent, otherwise i will get back to you as soon as possible on my return. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Verisign CA cert problem
Hello, I am having problems with a brand new Verisign 128 bit certificate that has just be purchased. I have installed the certificate and the intermediate CA cert on an Apache 1.3.31/mod_ssl 2.8.17/openssl 0.9.7d instance. What I am seeing is the Netscape and Mozilla connect to the site just fine. When I connect to the site with IE 6 the security window pops up telling be that the certificate has either expired or is not valid yet. When I look at the certificate the intermediate CA cert that IE is using is the expired cert that was installed with IE. I tried removing the old intermediate CA cert from IE altogether and it still will not load the intermediate CA cert from my server. I am not really sure what to try at this point. Oh, yes, Verisign support has been pretty much useless. Help suggestions will be greatly appreciated. Bill +--- | Bill MacAllister | 14219 Auburn Road | Grass Valley, CA 95949 | 530-272-8555 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Verisign CA cert problem
I am away on paternity leave for the next few days. Please contact OLSU if urgent, otherwise i will get back to you as soon as possible on my return. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Verisign CA cert problem
On Wed, 2004-05-19 at 09:46, Bill MacAllister wrote: Hello, I am having problems with a brand new Verisign 128 bit certificate that has just be purchased. I have installed the certificate and the intermediate CA cert on an Apache 1.3.31/mod_ssl 2.8.17/openssl 0.9.7d instance. Did you get a new intermediate cert (intermediate.crt) from Verisign also? This also goes in the apache config. directions somewhere on verisigns site. What I am seeing is the Netscape and Mozilla connect to the site just fine. When I connect to the site with IE 6 the security window pops up telling be that the certificate has either expired or is not valid yet. When I look at the certificate the intermediate CA cert that IE is using is the expired cert that was installed with IE. I tried removing the old intermediate CA cert from IE altogether and it still will not load the intermediate CA cert from my server. I am not really sure what to try at this point. Oh, yes, Verisign support has been pretty much useless. Help suggestions will be greatly appreciated. Bill +--- | Bill MacAllister | 14219 Auburn Road | Grass Valley, CA 95949 | 530-272-8555 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Christopher McCrory The guy that keeps the servers running [EMAIL PROTECTED] http://www.pricegrabber.com Let's face it, there's no Hollow Earth, no robots, and no 'mute rays.' And even if there were, waxed paper is no defense. I tried it. Only tinfoil works. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Verisign CA cert problem
--On Wednesday, May 19, 2004 10:50:44 AM -0700 Christopher McCrory [EMAIL PROTECTED] wrote: On Wed, 2004-05-19 at 09:46, Bill MacAllister wrote: Hello, I am having problems with a brand new Verisign 128 bit certificate that has just be purchased. I have installed the certificate and the intermediate CA cert on an Apache 1.3.31/mod_ssl 2.8.17/openssl 0.9.7d instance. Did you get a new intermediate cert (intermediate.crt) from Verisign also? This also goes in the apache config. directions somewhere on verisigns site. Yes. The only certificate that has ever been on my servers is the new CA cert. Actually there are multiple references on the Versign site: http://www.verisign.com/support/install/apache/v00Mod.html#global http://www.verisign.com/support/site/caReplacement.html Of course, while both describe the same issue they suggest slightly different Apache directives. Respectively the two suggestions are: SSLCertificateFile /etc/ssl/crt/public.crt SSLCertificateKeyFile /etc/ssl/crt/private.key SSLCertificateChainFile /etc/ssl/crt/intermediate.crt and SSLCACertificateFile /etc/ssl/crt/intermediate.crt I have tried both and neither method works for IE. Bill What I am seeing is the Netscape and Mozilla connect to the site just fine. When I connect to the site with IE 6 the security window pops up telling be that the certificate has either expired or is not valid yet. When I look at the certificate the intermediate CA cert that IE is using is the expired cert that was installed with IE. I tried removing the old intermediate CA cert from IE altogether and it still will not load the intermediate CA cert from my server. I am not really sure what to try at this point. Oh, yes, Verisign support has been pretty much useless. Help suggestions will be greatly appreciated. Bill +--- | Bill MacAllister | 14219 Auburn Road | Grass Valley, CA 95949 | 530-272-8555 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Christopher McCrory The guy that keeps the servers running [EMAIL PROTECTED] http://www.pricegrabber.com Let's face it, there's no Hollow Earth, no robots, and no 'mute rays.' And even if there were, waxed paper is no defense. I tried it. Only tinfoil works. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] +--- | Bill MacAllister | 14219 Auburn Road | Grass Valley, CA 95949 | 530-272-8555 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Creating my own CA
I've got OpenSA (Apache w/openssl+modssl) running on a Windows platform and am trying to create my own CA. I'm able to create a private key and make a cert for that CA but can't use my CA to sign the CSR. I see from the modssl docs the step by step but then the last step gets to running the script sign.sh and, well, obviously Windows has some problems running a .sh file. Every place I see on line mentions that there's some strange requirements of the openssl ca command. Does anyone know of some other approach to sign the CSR. I've been messing with CygWin and Mac OSx and a few other things but it seems like an awful lot of trouble to go through if I have to actually 'build' a *nix server just to sign my server cert. Any help is always appreciated. Kevin Ericson Kinetic Technologies, Inc. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Expired CA Certificate
We recently had a problem with our Verisign Intermediate CA Certificate. This link (https://www.verisign.com/support/site/caReplacement.html) points to how they said to fix the problem. Your case may be similar. Florian Yanez Manager of Technical Systems Helzberg Diamond Shops, Inc. [EMAIL PROTECTED] 816-627-1253 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rory Chisholm Sent: Tuesday, February 10, 2004 7:14 AM To: [EMAIL PROTECTED] Subject: Expired CA Certificate This isn't totally modssl related but maybe someone knows the answer. I'm using OpenSCEP with openssl. My CA Certificate has just expired. Now since our VPN sees very little use (only one important user) I'd like to re-issue the x509 CA certificate with the same key but different attributes (a later expiry date). Can this be done without re-generating every certificate ever issued from scratch ? The real question here is do x509 certificates that have been signed by a CA certificate store a hash of the CA certificate based solely on the CA's key or based on the full CA certificate including it's attributes ? Has anyone had any experience doing this ? Thanks for any help, Rory Chisholm __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re[2]: OT: cheap CA certificates
Thawte is pretty cheap. $127 bucks through their ISP channel (anyone can sign up) for a regular web cert, I am not sure you can do much better. If it's not worth $127 a year, then I assume it's not for profit, e.g. for internal use only or for a small number of users. In that case, just use self-signed certificates. They're no less secure, they just pop up a warning. Advise your users to add them to their root store the first time they connect to your site and even that won't happen anymore. We do this for all our internal secured sites. -- Jamie Monday, November 17, 2003, 3:05:23 PM, you wrote: GBE Hello Eric, GBE Eric Wood wrote: Where can I get cheap/reliable certs for a Apache that IE 5.5+ clients will authorize against? Thawte and Verisign have outpriced themselves. GBE That depends on your definition of the terms cheap and reliable. GBE But we offer client and server certs GBE (low level client certs are still free) GBE Bye GBE Goetz -- Best regards, Jamesmailto:[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re[2]: OT: cheap CA certificates
Here is one comparison of different SSL certificate choices and their prices: http://www.whichssl.com/ssl-certificate-comparison.html --Kevin -Original Message- From: James Treworgy [mailto:[EMAIL PROTECTED] Sent: Monday, November 17, 2003 2:12 PM To: Goetz Babin-Ebell Cc: [EMAIL PROTECTED] Subject: Re[2]: OT: cheap CA certificates Thawte is pretty cheap. $127 bucks through their ISP channel (anyone can sign up) for a regular web cert, I am not sure you can do much better. If it's not worth $127 a year, then I assume it's not for profit, e.g. for internal use only or for a small number of users. In that case, just use self-signed certificates. They're no less secure, they just pop up a warning. Advise your users to add them to their root store the first time they connect to your site and even that won't happen anymore. We do this for all our internal secured sites. -- Jamie Monday, November 17, 2003, 3:05:23 PM, you wrote: GBE Hello Eric, GBE Eric Wood wrote: Where can I get cheap/reliable certs for a Apache that IE 5.5+ clients will authorize against? Thawte and Verisign have outpriced themselves. GBE That depends on your definition of the terms cheap and reliable. GBE But we offer client and server certs GBE (low level client certs are still free) GBE Bye GBE Goetz -- Best regards, Jamesmailto:[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
OT: cheap CA certificates
Where can I get cheap/reliable certs for a Apache that IE 5.5+ clients will authorize against? Thawte and Verisign have outpriced themselves. -Eric Wood __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: OT: cheap CA certificates
http://www.geotrust.com/equifax/ On Mon, Nov 17, 2003 at 02:33:53PM -0500, Eric Wood wrote: From: Eric Wood [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: OT: cheap CA certificates Date: Mon, 17 Nov 2003 14:33:53 -0500 Reply-To: [EMAIL PROTECTED] Where can I get cheap/reliable certs for a Apache that IE 5.5+ clients will authorize against? Thawte and Verisign have outpriced themselves. -Eric Wood __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Peter Burkholder, System Administrator Digital Library for Earth System Education (DLESE® -- http://www.dlese.org) [EMAIL PROTECTED] DLESE Program Center (DPC) ~~~ ~~ __o UCAR/DPC, P.O. Box 3000 Ph) +1-303-497-2663 ~~~ ~~_`\,_ Boulder, CO 80307-3000Fx) +1 303-497-8336 ~~~ (*)/ (*) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Can I resign an existing CA cert without breaking anything?
...a bit naive I know, but I'd rather be safe than regret it a week later ;-) We have an existing internal CA designed around a OpenSSL 0.9.5 signed CA (obviously we're using a newer release of OpenSSL now - but the CA cert was created under 0.9.5). It's all working well - until now. We have found that we cannot sign certs created by Cisco IOS - well it can - but then the Cisco refuses to use it. Upon talking to Cisco, they say it's because our CA has a Serial number of 0 - which is illegal(!?). They said this was a known bug in OpenSSL that was fixed in a later release... Anyway, if all that is true, I'd like to simply re-create the CA cert under a newer OpenSSL release - using the existing private key and serial number 1 - which for some reason is actually available (the first signed cert starts at 2 - don't know why!). If I do that (i.e. openssl req -key existing.key -x509 -new ...), will it break the existing infrastructure? I've gone as far as creating the new CA public key/root cert, and diff'ing it against the old signed cert just shows different serial number, dates and some signature hexes look different. I mean, the public key created from the private key looks identical to the old public key, so existing (old) HTTPS web servers that only accept connections from client certs signed by our (old) CA should happily accept client certs signed by our (new) CA? What about CRL? We make extensive use of CRL to ensure only valid certs are accepted, so I'm worried about that breaking. I pretty sure that is doable - I'm just worried there are know bugs/issues around this that may sting me a week/month later... Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
~ Error Help - CN in certificate not server name or identical to CA!? ~
Hi all I am new to the SSL environment, getting a following error, can someone tell me whats going on and how i can resolve thisthsnka in advance...(error output below...) [Tue Jul 2 11:54:00 2002] [error] mod_ssl: SSL handshake failed (server name here:443, client 130.209.164.170) (OpenSSL library error follows) [Tue Jul 2 11:54:00 2002] [error] OpenSSL: error:14094412:SSL routines:SSL3_REA D_BYTES:sslv3 alert bad certificate [Hint: Subject CN in certificate not server name or identical to CA!?] *~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~ Inderjit S Gabrie University of Glasgow, Department of MIS, Gilbert Scott Building, Glasgow G12 8QQ Tel: 0141-330-3837 Fax: 0141-330-4953 E-mail: [EMAIL PROTECTED] Web Url: http://www.mis.gla.ac.uk *~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~* The future is here, it's just not evenly distributed yet.
RE: ~ Error Help - CN in certificate not server name or identical to CA!? ~
Please post in plain-text... - Your error: [Hint: Subject CN in certificate not server name or identical to CA!?] means: the Common Name in the certificate is not the same as the ServerName in the URL - e.g. the certificate belongs to www.abcdef.com but you are using it in a server whose URL is www.uvwxyz.com. This makes the browser think your site is impersonating another site and so throws a warning. Where did you get the cert? Is it self-signed? If so, make a new one with the correct server name. Rgds, Owen Boyle PS How did you remove the Reply-To header which normally directs the replies back to the list? This is supposed to be a public mailing list, not your private resource. You are supposed to share the replies with others and allow them to go in the archive. Anyway, I cahnged it back... -Original Message- From: Inderjit S Gabrie [mailto:[EMAIL PROTECTED]] Sent: Mittwoch, 29. Januar 2003 10:05 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: ~ Error Help - CN in certificate not server name or identical to CA!? ~ Hi all I am new to the SSL environment, getting a following error, can someone tell me whats going on and how i can resolve thisthsnka in advance...(error output below...) [Tue Jul 2 11:54:00 2002] [error] mod_ssl: SSL handshake failed (server name here:443, client 130.209.164.170) (OpenSSL library error follows) [Tue Jul 2 11:54:00 2002] [error] OpenSSL: error:14094412:SSL routines:SSL3_REA D_BYTES:sslv3 alert bad certificate [Hint: Subject CN in certificate not server name or identical to CA!?] *~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~ Inderjit S Gabrie University of Glasgow, Department of MIS, Gilbert Scott Building, Glasgow G12 8QQ Tel: 0141-330-3837 Fax: 0141-330-4953 E-mail: [EMAIL PROTECTED] Web Url: http://www.mis.gla.ac.uk *~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~* The future is here, it's just not evenly distributed yet. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
Well, the thing is that just adding ...-config openssl.cnf... was enough. now it works. Thanx Long, Liesheng a écrit: Do .csr first, then do .crt Try the following commands, add your path if needed: 1. openssl req -config openssl.cnf -new -key ca.key -out ca.csr 2. openssl x509 -extfile openssl.conf -days 365 -signkey ca.key \ -in ca.csr -req -out ca.crt -Original Message- From: Sasa STUPAR [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 28, 2002 11:50 AM To: [EMAIL PROTECTED] Subject: Re: Problems with creating own CA One thing, if I try to use directly with the command openssl req -new -x509 -days 365 -key ca.key -out ca.crt I get back error like before with also that it canot load config info. Any idea ? Maurizio Marini a écrit: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote: They are already uncommented. Here is attached my config file. I've: commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 commonName_default = iris.dev.datalogica.com it seems u lack this: commonName_default = your_fqdn - -- Maurizio Marini GSM +39-335-8259739 Altamura: +39-080-3105228Fax +39-080-3105228 Pesaro: +39-0721-54277 Fax +39-0721-415055 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG STINIYzTZ0FPIeYy3o5MKNg= =t8N+ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
OK, so creating a certifikate is done. How do I sign it ? I am using windows but I have read in the documents to use sign.sh in mod-perl. Ok but I am not having Linux anywhere near me. So what can I do ? Sasa STUPAR wrote: Well, the thing is that just adding ...-config openssl.cnf... was enough. now it works. Thanx Long, Liesheng a écrit: Do .csr first, then do .crt Try the following commands, add your path if needed: 1. openssl req -config openssl.cnf -new -key ca.key -out ca.csr 2. openssl x509 -extfile openssl.conf -days 365 -signkey ca.key \ -in ca.csr -req -out ca.crt -Original Message- From: Sasa STUPAR [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 28, 2002 11:50 AM To: [EMAIL PROTECTED] Subject: Re: Problems with creating own CA One thing, if I try to use directly with the command openssl req -new -x509 -days 365 -key ca.key -out ca.crt I get back error like before with also that it canot load config info. Any idea ? Maurizio Marini a écrit: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote: They are already uncommented. Here is attached my config file. I've: commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 commonName_default = iris.dev.datalogica.com it seems u lack this: commonName_default = your_fqdn - -- Maurizio Marini GSM +39-335-8259739 Altamura: +39-080-3105228 Fax +39-080-3105228 Pesaro: +39-0721-54277 Fax +39-0721-415055 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG STINIYzTZ0FPIeYy3o5MKNg= =t8N+ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday 03 December 2002 03:22 pm, Sasa STUPAR wrote: OK, so creating a certifikate is done. How do I sign it ? I am using windows but I have read in the documents to use sign.sh in mod-perl. Ok but I am not having Linux anywhere near me. So what can I do ? try a self-signed openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout server.key -out server.crt - -- Maurizio Marini -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE97NB24Q/49nIJTlwRAu9MAJwP7waOwN/J2dYSzL4L9RkHNjpRrwCfTI65 M0p49MjvotSa30mCfOFLL30= =P32L -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
Ok I have made a server certificate and a client certificate. I have configured apache and ssl.conf with everything necesary BUT when I try to conect to myserver:443 it tells me connection has been refused. Any idea ? Maurizio Marini wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday 03 December 2002 03:22 pm, Sasa STUPAR wrote: OK, so creating a certifikate is done. How do I sign it ? I am using windows but I have read in the documents to use sign.sh in mod-perl. Ok but I am not having Linux anywhere near me. So what can I do ? try a self-signed openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout server.key -out server.crt - -- Maurizio Marini -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE97NB24Q/49nIJTlwRAu9MAJwP7waOwN/J2dYSzL4L9RkHNjpRrwCfTI65 M0p49MjvotSa30mCfOFLL30= =P32L -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Problems with creating own CA
Do .csr first, then do .crt Try the following commands, add your path if needed: 1. openssl req -config openssl.cnf -new -key ca.key -out ca.csr 2. openssl x509 -extfile openssl.conf -days 365 -signkey ca.key \ -in ca.csr -req -out ca.crt -Original Message- From: Sasa STUPAR [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 28, 2002 11:50 AM To: [EMAIL PROTECTED] Subject: Re: Problems with creating own CA One thing, if I try to use directly with the command openssl req -new -x509 -days 365 -key ca.key -out ca.crt I get back error like before with also that it canot load config info. Any idea ? Maurizio Marini a écrit: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote: They are already uncommented. Here is attached my config file. I've: commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 commonName_default = iris.dev.datalogica.com it seems u lack this: commonName_default = your_fqdn - -- Maurizio Marini GSM +39-335-8259739 Altamura: +39-080-3105228 Fax +39-080-3105228 Pesaro: +39-0721-54277 Fax +39-0721-415055 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG STINIYzTZ0FPIeYy3o5MKNg= =t8N+ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problems with creating own CA
Hi ! I am trying to create my own CA. The creation of a key file is fine. When I try to create a CSR file I get back an error unable to find a 'distinguished_name' in config. I am runing on winXP with openssl 0.9.6g. I wanted to make a server certificate for my Apache. Please help me ! Sasa __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 03:45 pm, Sasa STUPAR wrote: unable to find a 'distinguished_name' in config. in your openssl.cnf you should uncomment lines regarding distinguished_name; otherwise re-post with it attached - -- Maurizio Marini -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95i6C4Q/49nIJTlwRArC3AJ9L+sCspWbSYGJr5QNIdoUxw+XTjACfVK6Q o2atqXF6nX4goCsODTV7hmo= =ldnj -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
They are already uncommented. Here is attached my config file. Maurizio Marini a écrit: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 03:45 pm, Sasa STUPAR wrote: unable to find a 'distinguished_name' in config. in your openssl.cnf you should uncomment lines regarding distinguished_name; otherwise re-post with it attached - -- Maurizio Marini -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95i6C4Q/49nIJTlwRArC3AJ9L+sCspWbSYGJr5QNIdoUxw+XTjACfVK6Q o2atqXF6nX4goCsODTV7hmo= =ldnj -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] # # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # # This definition stops the following lines choking if HOME isn't # defined. HOME= . RANDFILE= $ENV::HOME/.rnd # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids # To use this configuration file with the -extfile option of the # openssl x509 utility, name here the section containing the # X.509v3 extensions to use: # extensions= # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) [ new_oids ] # We can add new OIDs in here for use by 'ca' and 'req'. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6 [ ca ] default_ca = CA_default# The default ca section [ CA_default ] dir = ./demoCA # Where everything is kept certs = $dir/certs# Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database= $dir/index.txt# database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE= $dir/private/.rand# private random number file x509_extensions = usr_cert # The extentions to add to the cert # Comment out the following two lines for the traditional # (and highly broken) format. name_opt= ca_default# Subject Name options cert_opt= ca_default# Certificate field options # Extension copying option: use with caution. # copy_extensions = copy # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crl_extensions= crl_ext default_days= 365 # how long to certify for default_crl_days= 30# how long before next CRL default_md = md5 # which md to use. preserve= no# keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName= match organizationalUnitName = optional commonName = supplied emailAddress= optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName= optional organizationName= optional organizationalUnitName = optional commonName = supplied emailAddress= optional [ req ] default_bits= 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert # Passwords for private keys if not present they will be prompted for # input_password = secret # output_password = secret # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK: a literal
Re: Problems with creating own CA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote: They are already uncommented. Here is attached my config file. I've: commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 commonName_default = iris.dev.datalogica.com it seems u lack this: commonName_default = your_fqdn - -- Maurizio Marini GSM +39-335-8259739 Altamura: +39-080-3105228 Fax +39-080-3105228 Pesaro: +39-0721-54277 Fax +39-0721-415055 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG STINIYzTZ0FPIeYy3o5MKNg= =t8N+ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
Well, I have added what you've told me but still the same problem. Maurizio Marini a écrit: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote: They are already uncommented. Here is attached my config file. I've: commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 commonName_default = iris.dev.datalogica.com it seems u lack this: commonName_default = your_fqdn - -- Maurizio Marini GSM +39-335-8259739 Altamura: +39-080-3105228 Fax +39-080-3105228 Pesaro: +39-0721-54277 Fax +39-0721-415055 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG STINIYzTZ0FPIeYy3o5MKNg= =t8N+ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
One thing, if I try to use directly with the command openssl req -new -x509 -days 365 -key ca.key -out ca.crt I get back error like before with also that it canot load config info. Any idea ? Maurizio Marini a écrit: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote: They are already uncommented. Here is attached my config file. I've: commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 commonName_default = iris.dev.datalogica.com it seems u lack this: commonName_default = your_fqdn - -- Maurizio Marini GSM +39-335-8259739 Altamura: +39-080-3105228 Fax +39-080-3105228 Pesaro: +39-0721-54277 Fax +39-0721-415055 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG STINIYzTZ0FPIeYy3o5MKNg= =t8N+ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 05:53 pm, Sasa STUPAR wrote: I have here made a printscr and save it in a word doc. Please look at it, maybe it will give same clue. in fact! it seems that you lack openssl.conf pathname in your env vars check your env a search for something realted to this byez! - -- Maurizio Marini GSM +39-335-8259739 Altamura: +39-080-3105228 Fax +39-080-3105228 Pesaro: +39-0721-54277 Fax +39-0721-415055 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95lSF4Q/49nIJTlwRAnh5AJ4n0nqzTCd1dBaOjpx7KewlUyNucACfbxQe /Z2RE3roRyop6t0s4v4iXAI= =/YNG -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problem of sign.sh ( Create CA for WebServer )
Hello, My System is Redhat 7.2, Apache 1.3.22 and openssl 0.9.6b... After I get the sign.sh from here : http://www.modssl.org/source/cvs/exp/mod_ssl/pkg.mod_ssl/pkg.contrib/sign.sh then run the command : sign.sh ssl.csr/server.csr ( location path is /etc/httpd/conf, sign.sh into /usr/bin ) the error message : [root@itahost2 conf]# sign.sh ssl.csr/server.csr CA signing: ssl.csr/server.csr - ssl.crt/server.csr: Using configuration from ca.config ./ca.key: No such file or directory trying to load CA private key 28968:error:02001002:system library:fopen:No such file or directory:bss_file.c:245:fopen('./ca.key','r') 28968:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:247: CA verifying: ssl.crt/server.csr - CA cert Error loading file ca.crt 28969:error:02001002:system library:fopen:No such file or directory:bss_file.c:104:fopen('ca.crt','r') 28969:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:106: 28969:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:278: usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-engine e] cert1 cert2 ... recognized usages: sslclient SSL client sslserver SSL server nssslserver Netscape SSL server smimesign S/MIME signing smimeencryptS/MIME encryption crlsign CRL signing any Any Purpose So, can you help me to fix this problem ? Thank a lots. Edward. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Make CA for WebServer ( Apache )
It's in the mod ssl INSTALL file... Basically it's an added step when you make apache... --from readme file... $ cd apache_1.3.x ALL $ SSL_BASE=../openssl-0.9.x \ ALL EAPI_MM=../mm-1.1.x \ OPTIONAL ./configure \ALL --enable-module=ssl \ALL --prefix=/path/to/apache \ ALL [--enable-shared=ssl] \ OPTIONAL [--disable-rule=SSL_COMPAT] \OPTIONAL [--enable-rule=SSL_SDBM] \ OPTIONAL [--enable-rule=SSL_EXPERIMENTAL] \ OPTIONAL [--enable-rule=SSL_VENDOR] \ OPTIONAL [...more APACI options...] OPTIONAL $ make ALL $ make certificateOPTIONAL $ make installOPTIONAL $ cd .. Daniel. [EMAIL PROTECTED] wrote: Hello, How to create CA ( invalid: NOT real ) for Web Server ( Apache ) ? Thank for your help ! Edward. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Make CA for WebServer ( Apache )
Hello, How to create CA ( invalid: NOT real ) for Web Server ( Apache ) ? Thank for your help ! Edward. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Configuring my own CA
I am trying to configure my web server so when user brian attempts to connect to https://myhost/brian/ it authenticates him via his certificate and it allows him to view the directory. I successfully compiled apache + modssl with a test certificate signed by Snake Oil. So, here goes on the questions. Do I need to create my own Certificate Authority? If I create my own CA, how do I get Netscape to use it as a CA? I am using Netscape 4.7 on Solaris. If I create my own CA, does my Apache/modssl server perform that function? Do I need to create a certificate for Brian? Does it have to be signed by the CA? Here are the answers I came up with so far. It looks like I need to create a CA and that I can run it on the my modssl alongside the server.crt. Here is how I created the CA $ openssl genrsa -des3 -out ca.key 1024 I created a self signed CA certificate. $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt So this created my certificate authority certificate. I created at server.key. The CN for the server.key is the FQDN of my modssl web server. $ openssl genrsa -des3 -out server.key 1024 I created a request (server.csr) using that server key. openssl req -new -key server.key -out server.csr Then I signed the server key with the command: $ ./sign.sh server.csr which produced a server.crt file. So, it looks like I have a CA and the server certificate. I create a key for myself which I signed using the CA. $ openssl genrsa -des3 -out brian.key 1024 $ openssl req -new -key brian.key -out brian.csr $ sign.sh brian.csr Then I end up with the following files. brian.crt ca.crt ca.db.serial server.crt brian.csr ca.db.certs/ ca.key server.csr brian.key ca.db.indexfile.p12 server.key I can't seem to import my key (brian.crt) into my Netscape browser though. Is there some other format I need to import it into? brian -- Brian Lavender http://www.brie.com/brian/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Configuring my own CA
Hi Brian Netscape needs a pckcs12 format. I emailed the openssl list on the 16/10/2002 with subject Re: CSR/CA Issued Certificate where among other things I show how to create CA,server and client certificates (not keys) and how to convert them to PKSC12 format and import them into the browser. Cheers Jose -Original Message- From: Brian Lavender [mailto:brian;brie.com] Sent: 18 October 2002 03:30 To: [EMAIL PROTECTED] Subject: Configuring my own CA I am trying to configure my web server so when user brian attempts to connect to https://myhost/brian/ it authenticates him via his certificate and it allows him to view the directory. I successfully compiled apache + modssl with a test certificate signed by Snake Oil. So, here goes on the questions. Do I need to create my own Certificate Authority? If I create my own CA, how do I get Netscape to use it as a CA? I am using Netscape 4.7 on Solaris. If I create my own CA, does my Apache/modssl server perform that function? Do I need to create a certificate for Brian? Does it have to be signed by the CA? Here are the answers I came up with so far. It looks like I need to create a CA and that I can run it on the my modssl alongside the server.crt. Here is how I created the CA $ openssl genrsa -des3 -out ca.key 1024 I created a self signed CA certificate. $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt So this created my certificate authority certificate. I created at server.key. The CN for the server.key is the FQDN of my modssl web server. $ openssl genrsa -des3 -out server.key 1024 I created a request (server.csr) using that server key. openssl req -new -key server.key -out server.csr Then I signed the server key with the command: $ ./sign.sh server.csr which produced a server.crt file. So, it looks like I have a CA and the server certificate. I create a key for myself which I signed using the CA. $ openssl genrsa -des3 -out brian.key 1024 $ openssl req -new -key brian.key -out brian.csr $ sign.sh brian.csr Then I end up with the following files. brian.crt ca.crt ca.db.serial server.crt brian.csr ca.db.certs/ ca.key server.csr brian.key ca.db.indexfile.p12 server.key I can't seem to import my key (brian.crt) into my Netscape browser though. Is there some other format I need to import it into? brian -- Brian Lavender http://www.brie.com/brian/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
how to generate an authoritive CA Certificate?
hello,everybody: Glad to talk to you!I happen to be a learner,so,if I have some problems let you feel bad,patient to me,please! When I constructed my web station through apache,I met with some problems! I made theCA Certificate by myself,and issued a server.crtfor my web server using this CA,but I foundan unexpected warning happened when I tried to connect my apache server through MSIEnetscape.Thereis a warning message which says my certificate is not issued by Trusted CA. I thinkthe CAgenerated by myselfmust be have some problems.My question is:canguys make CA by themselves? If so,the steps I generate my CA are: 1.create a RSA private key for my CA: $openssl genrsa -des3 -out ca.key 1024 2.create a self-signed CA Certificate (X509 structure) with the RSA key of the CA. $openssl req -new -x509 -day 365 -key ca.key -out ca.crt 3.sign the certificate of my server using sign.sh provided by mod_ssl/pkg.contrib/ $sign.sh server.csr Then I got my server.crt issued by my CA Certificate. Is there any problems during the process I generate CA? Any help are appreciated!:) zhaoxd
how to generate an authoritive CA Certificate?
hello,everybody: Glad to talk to you!I happen to be a learner,so,if I have some problems let you feel bad,patient to me,please! When I constructed my web station through apache,I met with some problems! I made theCA Certificate by myself,and issued a server.crtfor my web server using this CA,but I foundan unexpected warning happened when I tried to connect my apache server through MSIEnetscape.Thereis a warning message which says my certificate is not issued by Trusted CA. I thinkthe CAgenerated by myselfmust be have some problems.My question is:canguys make CA by themselves? If so,the steps I generate my CA are: 1.create a RSA private key for my CA: $openssl genrsa -des3 -out ca.key 1024 2.create a self-signed CA Certificate (X509 structure) with the RSA key of the CA. $openssl req -new -x509 -day 365 -key ca.key -out ca.crt 3.sign the certificate of my server using sign.sh provided by mod_ssl/pkg.contrib/ $sign.sh server.csr Then I got my server.crt issued by my CA Certificate. Is there any problems during the process I generate CA? Any help are appreciated!:) zhaoxd
Using a different CA
Hello List, I have a question regarding the use of a different CA. I recently purchased an SSL certificate from comodo.net and I have not been able to get it to work properly. My browser responds that it cannot recognize the issuer of the certificate. I am running apache 1.3.26, mod-ssl 2.8.9, and openssl 0.9.6c on a debian woody system. The global-ca.txt file has been downloaded from their site, and I have contacted their tech support, who have provided me with no answers. I have the following directive in my vitual host container tags: IfModule mod_ssl.c SSLEngine on SSLCertificateFile/etc/apache/ssl.crt/site.crt SSLCertificateKeyFile /etc/apache/ssl.key/site.key SSLCACertificateFile /etc/apache/ca-bundle/global-ca.txt SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 /IfModule Has anyone else had any experience with comodo? Should I break down and shell out the extra $$ for a Thawte cert? Any help would be greatly appreciated! -- Peter Hicks GnuPG public key: http://jah.net/~petong/public_key.txt Key Fingerprint: 4E24 3C78 A165 537C 729C 8D25 3547 3CE9 9E7D 42B6 Every why hath a wherefore. -- William Shakespeare, A Comedy of Errors __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Could I add more than one CA to http.conf.
Dear Sir: If we want to allow the users that have the certificate is signed by two CA(For examble Verisign and Hitrust). How could I do? If I execute the SSLCACertificateFile command tow times. The Second command is work, but the first CS is disable. OS : Windows 2000. WEB Server: Apache 1.3, mod_ssl 2.6.1, OpenSSL 0.8.5 Is there any command to solve the problem? Thanks Bruce Huang (¶À¤å½å) FoongTone §»³q¼Æ½X¬ì§Þ ¥x¥_¿¤¤¤©M¥«¤¤¥¿¸ô866¸¹14¼Ó Tel: 886-2-8861 ext 636 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Could I add more than one CA to http.conf.
Hi Sir: I have got the solution. Thanks. Bruce Huang -Original Message- From: ¶À¤å½å Sent: Friday, July 12, 2002 2:06 PM To: '[EMAIL PROTECTED]' Subject: Could I add more than one CA to http.conf. Dear Sir: If we want to allow the users that have the certificate is signed by two CA(For examble Verisign and Hitrust). How could I do? If I execute the SSLCACertificateFile command tow times. The Second command is work, but the first CS is disable. OS : Windows 2000. WEB Server: Apache 1.3, mod_ssl 2.6.1, OpenSSL 0.8.5 Is there any command to solve the problem? Thanks Bruce Huang (¶À¤å½å) FoongTone §»³q¼Æ½X¬ì§Þ ¥x¥_¿¤¤¤©M¥«¤¤¥¿¸ô866¸¹14¼Ó Tel: 886-2-8861 ext 636 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
How do I extend the expiration day of the self generated CA certificate andall the certs issued by that CA. Please help
We have created our own CA certificate and signed few more certs using it. The CA is about to expire and with that all the certificates signed using it. Is there a way to extend the expiration day with out recreating the CA and reissuing the certs? Please help Thanks in advance. Ilya --- This message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change. ABN AMRO Bank N.V. (including its group companies) shall not be liable for the improper or incomplete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. ABN AMRO Bank N.V. (or its group companies) does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference. --- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Getting CRL from CA
Hello, Maybe a stupid question, but I cannot figure out the answer. I have a secured SSL/TLS server with client authentication. I accept user certificates for various CA of my choice, so I have those CA certificates available and verified, etc. But, in order to validate user certificates, I need to update the various CRL from those CA. Is there a standard way of knowing where and how to connect to get those CRL, beside reviewing individually for each CA its CPS ? Another question strongly related to this one : is there any opensource tools to achieve thios goal available to your knowledge ? Thank you for your time, François __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ca cert questions (was Re: Dumb SSL question)
On Tue, 2002-04-02 at 13:50, Ladner, Eric (Eric.Ladner) wrote: What mechanism is it that will allow an encrypted communication (a connection to the https side of the web server) without popping up the View/Accept/Whatever dialog for the certificate? All that's required is a valid cert ( valid date, correct servername) signed by a valid CA (installed on your web browser or on the remote server). which brings me to my question: my company purchased a cert from geotrust. initially, we couldn't make the cert work (we got ie dialog saying that the cert was from a company we had not chose to trust). geotrust had me install a CA cert on the server and use 'SSLCACertificateFile' to point to it. magically, ie then trusted the certificate. so why does this work? i mean, why can't i start forging ssl certificates that are trusted by my own ca files that i host locally? do browsers do any verification of ca files served up by remote machines? feel free to point me to documentation on this one... -jon -- [EMAIL PROTECTED] || www.divisionbyzero.com gpg key: www.divisionbyzero.com/pubkey.asc think i have a virus?: www.divisionbyzero.com/pgp.html You are in a twisty little maze of Sendmail rules, all confusing. signature.asc Description: This is a digitally signed message part
Re: ca cert questions (was Re: Dumb SSL question)
On 2 Apr 2002, jon schatz wrote: we had not chose to trust). geotrust had me install a CA cert on the server and use 'SSLCACertificateFile' to point to it. magically, ie then trusted the certificate. so why does this work? i mean, why can't i start forging ssl certificates that are trusted by my own ca files that i host locally? do browsers do any verification of ca files served up by remote machines? feel free to point me to documentation on this one... The difference is that the CA certificate they would have had you install (a) is signed by a CA that the browser *does* trust and (b) contains a flag saying this certificate may be used to sign other certificates. SSLCertificateChainFile (and SSLCACertificateFile in this case) is all about establishing a chain of trust back to some entity (a root CA) that the browser does trust. Take a look at the CA certificate they gave you... it will have been signed by some root CA (is Thawte the only one that actually provides this service? Maybe Verisign does, I don't know.), and you'll see the special capabilities flags in there as well. --Cliff -- Cliff Woolley [EMAIL PROTECTED] Apache HTTP Server Project __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Become a CA
Hello, I'm a ISP. I want to obtain a certificate, and then, create my own certificates for my clients. It is possible? -- Administrador Técnico Alsernet 2000 http://www.alsernet.es __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Antwort: Re: Antwort: RE: Sign a server CSR with my own CA
Hi Ed, works fine! Many thanks Markus PS: Only one typo, I corrected below for others convenience. Datum: 12.03.2002 19:20 An:[EMAIL PROTECTED] Antwort an:[EMAIL PROTECTED] Betreff: Re: Antwort: RE: Sign a server CSR with my own CA Nachrichtentext: Markus, It's a rather involved process, but here's what I did to get it to work. It's not the most elegant of methods, but it will get you started. 1) You'll need to generate your RSA keys for both your server and ca: --openssl rand -out random_data 65000 --openssl genrsa -passout pass:your_server_password -des3 -rand random_data -out server.key 1024 --openssl genrsa -passout pass:your_ca_password -des3 -rand random_data -out ca.key 1024 2) Now create your CSR: --openssl req -new -passin (strikethrough: file)pass:your_server_password -config cert.conf -key server.key -out server.csr Your cert.conf file should look something like: [ req ] default_keyfile = server.csr distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] C = US ST = Califori.. uhh L = Palo-Alto O = Hewlett-Packard Co. OU = WJA emailAddress = your e-mail address CN = 123.123.123.123 3) Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA (output will be PEM formatted) in ca.crt --openssl req -new -x509 -passin pass:your_ca_password -config cert.conf -days 365 -key ca.key -out ca.crt 4) Have the new CA sign the server's CSR and store results in server.crt. This is the tricky part. --Create an empty file called certIndex. --Create a file called certSerialNo, and put a 01 in it --openssl ca -batch -passin pass:your_server_password -config ca.conf -out server.crt -infiles server.csr Your ca.conf file should look something like: [ ca ] default_ca = CA_default# The default ca section [ CA_default ] dir= c:/apache2/certificates/temp # top dir new_certs_dir = c:/apache2/certificates/temp # new certs dir database = c:/apache2/certificates/temp/certIndex# index file. serial = c:/apache2/certificates/temp/certSerialNo # serial no file RANDFILE = c:/apache2/certificates/temp/random_data # random number file certificate= c:/apache2/certificates/temp/ca.crt # The CA cert private_key= c:/apache2/certificates/temp/ca.key # CA private key default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # md to use policy = policy_any# default policy [ policy_any ] localityName = supplied countryName= supplied stateOrProvinceName= supplied organizationName = supplied organizationalUnitName = supplied commonName = supplied emailAddress = optional That should do it. There are undoubtedly typo's in there somewhere. Good luck, Ed From: Markus Dallmann [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Antwort: RE: Sign a server CSR with my own CA Date: Tue, 12 Mar 2002 16:51:52 +0100 Done, but nothing found. Datum: 12.03.2002 16:14 An:[EMAIL PROTECTED] Antwort an:[EMAIL PROTECTED] Betreff: RE: Sign a server CSR with my own CA Nachrichtentext: Search for CA.pl -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Dallmann Sent: Tuesday, March 12, 2002 8:14 AM To: [EMAIL PROTECTED] Subject: Sign a server CSR with my own CA Hi, I'm using a win32 binary version of Perl 5.6.1, mod_perl 1.25 and Apache 1.3.20, which also includes the apache module mod_ssl (2.8.4-1.3.20) based on OpenSSL (0.9.6a). I created my own server CRT (passed some problems, e.g. redirect config file in openssl req, download missing openssl.cnf from www.modssl.org) and build my own CA. But now I have problems to sign the CRT with my own CA, because there is no sign.sh script for WinNT. I tried it with 'openssl ca' and go through several error messages (last was missing index.txt). Does anybody succeeded in this? Or has anybody another solution? kind regards Markus -- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. __ Apache Interface
Sign a server CSR with my own CA
Hi, I'm using a win32 binary version of Perl 5.6.1, mod_perl 1.25 and Apache 1.3.20, which also includes the apache module mod_ssl (2.8.4-1.3.20) based on OpenSSL (0.9.6a). I created my own server CRT (passed some problems, e.g. redirect config file in openssl req, download missing openssl.cnf from www.modssl.org) and build my own CA. But now I have problems to sign the CRT with my own CA, because there is no sign.sh script for WinNT. I tried it with 'openssl ca' and go through several error messages (last was missing index.txt). Does anybody succeeded in this? Or has anybody another solution? kind regards Markus -- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Sign a server CSR with my own CA
Search for CA.pl -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Dallmann Sent: Tuesday, March 12, 2002 8:14 AM To: [EMAIL PROTECTED] Subject: Sign a server CSR with my own CA Hi, I'm using a win32 binary version of Perl 5.6.1, mod_perl 1.25 and Apache 1.3.20, which also includes the apache module mod_ssl (2.8.4-1.3.20) based on OpenSSL (0.9.6a). I created my own server CRT (passed some problems, e.g. redirect config file in openssl req, download missing openssl.cnf from www.modssl.org) and build my own CA. But now I have problems to sign the CRT with my own CA, because there is no sign.sh script for WinNT. I tried it with 'openssl ca' and go through several error messages (last was missing index.txt). Does anybody succeeded in this? Or has anybody another solution? kind regards Markus -- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ca server certificates
Hi, We are using Apache/1.3.9 (Unix) mod_ssl/2.4.10 and we could authenticate our windows 2000 ca server certificates to whole part of server.How can I authenticate my clients for a particular URL based on certificates but still allow arbitrary clients to access the remaining parts of the server.We configured httpds.conf as: Location /pls/secureclient SSLVerifyClient require SSLVerifyDepth 1 /Location But it didnt worked.Weget an error message from browser(internet explorer version 5.0) Method Not Allowed The requested method POST is not allowed for the URL /pls/secureclient/LOGIN.shtml. Apache/1.3.9 Server at appsvr Port 443
CA-Server on Win200
Hi, I need to put up a CA Server on Win2000 for testing purposes. Any recommendation for software will be highly appreciated. Sorry, if this request is out of scope. Thanks. Peter __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: CA-Server on Win200
if you have win2000 server/advanced server you can install certificate servers to do it - Original Message - From: Dr. Peter Kanyion [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, January 08, 2002 11:15 AM Subject: CA-Server on Win200 Hi, I need to put up a CA Server on Win2000 for testing purposes. Any recommendation for software will be highly appreciated. Sorry, if this request is out of scope. Thanks. Peter __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: CA-Server on Win200
Thanks for the swift response. No,I don't have the advanced server version of Win2000. If I correctly understood your comments, the certificate server is included in the advanced server, right? If that is the case, I'll strive to get the Win2000 advanced server version. Thanks. Peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of madhon Sent: Dienstag, 8. Januar 2002 12:40 To: [EMAIL PROTECTED] Subject: Re: CA-Server on Win200 if you have win2000 server/advanced server you can install certificate servers to do it - Original Message - From: Dr. Peter Kanyion [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, January 08, 2002 11:15 AM Subject: CA-Server on Win200 Hi, I need to put up a CA Server on Win2000 for testing purposes. Any recommendation for software will be highly appreciated. Sorry, if this request is out of scope. Thanks. Peter __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: CA-Server on Win200
its included in both the server and advanced server versions of win200 - Original Message - From: Dr. Peter Kanyion [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, January 08, 2002 11:44 AM Subject: RE: CA-Server on Win200 Thanks for the swift response. No,I don't have the advanced server version of Win2000. If I correctly understood your comments, the certificate server is included in the advanced server, right? If that is the case, I'll strive to get the Win2000 advanced server version. Thanks. Peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of madhon Sent: Dienstag, 8. Januar 2002 12:40 To: [EMAIL PROTECTED] Subject: Re: CA-Server on Win200 if you have win2000 server/advanced server you can install certificate servers to do it - Original Message - From: Dr. Peter Kanyion [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, January 08, 2002 11:15 AM Subject: CA-Server on Win200 Hi, I need to put up a CA Server on Win2000 for testing purposes. Any recommendation for software will be highly appreciated. Sorry, if this request is out of scope. Thanks. Peter __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: CA installation
Ok im useing mandrake linux it came with a predefined key . i created a news key for my site but ,when i put the certificate and the key in /etc/httpd/ssl dir the server wont start
Re: CA installation
andrew reid wrote: Hi i created a certificate to used by apache but cant figure out how were to install it help please. You need a cert and a key. When you compiled apache with mod_ssl, and did make install, they should have been installed for you. Anyway, they go in your apache conf dir (e.g. /usr/local/apache/conf) in their own directories ssl.crt and ssl.key - then you have to point to the key and cert in httpd.conf: SSLCertificateFile/usr/local/apache/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key Make sure the key and the ssl.key directory are readable ONLY by root - i.e. permissions 400. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
IE6 Base ca-bundle
Title: IE6 Base ca-bundle I have uploaded a IE6 based new ca-bundle.crt containing all root cert's. http://www.modssl.org/contrib/ca-bundle.crt.tar.gz With Kind Regards, Martin Brülisauer Systime Informatik AG Engineering Support Bruggacherstrasse 26 CH-8117 Fällanden Phone: +411-806-8650 Fax: +411-806-8622 http://www.systime.ch/
CA certificates
Does mod_ssl have to have SSLCACertificatePath and or File to authenticate a verisign test client certificate? How To page reads SSLVerifyClient none Directory /usr/local/apache/htdocs/secure/area SSLVerifyClient require SSLVerifyDepth 5 SSLCACertificateFile conf/ssl.crt/ca.crt SSLCACertificatePath conf/ssl.crt SSLOptions +FakeBasicAuth SSLRequireSSL SSLRequire %{SSL_CLIENT_S_DN_O} eq Snake Oil, Ltd. and \ %{SSL_CLIENT_S_DN_OU} in {Staff, CA, Dev} /Directory for client certificate authentication as method 2, However, if I leave the SSLCACertificateFile or Path line in on startup it complains that the directive does not belong thereDid I miss something in the main configuration that is causing this? So the only way I can get the server to start up is by taking those 2 lines out and then I get unable to get local issuer certificate when I try to connect with the test client cert from verisign. Should I have version's CA cert loaded into apache conf? Thanks in advance, Chris __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
Yes, you can use OCSP with Entrust issued certificates. Lorrayne [EMAIL PROTECTED] wrote: Hello Lorrayne, Thanks for your input. By any chance, do you know if i can use OCSP with an Entrust CA (instead of CRLs)? Regards, Alec From Schaefer,Lorrayne J. [EMAIL PROTECTED] on 12 December 2001 9:07:02 To : [EMAIL PROTECTED] Copy To : [EMAIL PROTECTED] Subject : Re: Multiple CRLs with same CA Hi everyone. I was chatting with an Entrust engineer yesterday about partitioned CRLs (this is where you can break it down my something such as size). The only CA that currently do this to my knowledge is Entrust. I agree with Rich Salz's response. OCSP is a great way to go (and, Valicert offers an Apache plug-in). :-) Lorrayne __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Alec Barea PKI engineering team Equant Tel: +1 514 847-3436 CVS: 225 3436 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hello Lorrayne, Thanks for your input. By any chance, do you know if i can use OCSP with an Entrust CA (instead of CRLs)? Regards, Alec From Schaefer,Lorrayne J. [EMAIL PROTECTED] on 12 December 2001 9:07:02 To : [EMAIL PROTECTED] Copy To : [EMAIL PROTECTED] Subject : Re: Multiple CRLs with same CA Hi everyone. I was chatting with an Entrust engineer yesterday about partitioned CRLs (this is where you can break it down my something such as size). The only CA that currently do this to my knowledge is Entrust. I agree with Rich Salz's response. OCSP is a great way to go (and, Valicert offers an Apache plug-in). :-) Lorrayne __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Alec Barea PKI engineering team Equant Tel: +1 514 847-3436 CVS: 225 3436 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
Valicert has listed Entrust as one of its partners. I would assume that would mean that Valicert can interoperate with Entrust issued certificates. I think it is stretching things to say that partnership implies full parsing of the various Entrust CRL's. How many partnerships do you know where full implmenetation or interop is implied? :) /r$ -- Zolera Systems, Your Key to Online Integrity Securing Web services: XML, SOAP, Dig-sig, Encryption http://www.zolera.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
Rich, I'll check w/ an Entrust engineer today to see if I can get an honest (ha!) answer from him regarding your concerns. Lorrayne __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
i'd ask a valicert person, actually. -- Zolera Systems, Your Key to Online Integrity Securing Web services: XML, SOAP, Dig-sig, Encryption http://www.zolera.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
Hello there, Thanks a lot for your help and input. Actually i found a solution to the problem. Entrust allows partitioned CRLs by default (CRLs are splited for scalability purposes) but you can enable the combined CRL which will not be splitted (for compatibilty, as the partioned CRL is only an option in the standard). So this one works well with openssl/mod_ssl. Those 2 CRLs (combined and partitioned) will work both at the same time without problems. If you want more info on that, don't hesitate to ask me. Cheers, Alec From Schaefer,Lorrayne J. [EMAIL PROTECTED] on 12 December 2001 9:07:02 To : [EMAIL PROTECTED] Copy To : [EMAIL PROTECTED] Subject : Re: Multiple CRLs with same CA Hi everyone. I was chatting with an Entrust engineer yesterday about partitioned CRLs (this is where you can break it down my something such as size). The only CA that currently do this to my knowledge is Entrust. I agree with Rich Salz's response. OCSP is a great way to go (and, Valicert offers an Apache plug-in). :-) Lorrayne __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Alec Barea PKI engineering team Equant Tel: +1 514 847-3436 CVS: 225 3436 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
No, openssl does not yet support the (infinite:) ways to split CRL's that Entrust likes. OCSP is simpler. :) /r$ -- Zolera Systems, Securing web services (XML, SOAP, Signatures, Encryption) http://www.zolera.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
Hi everyone. I was chatting with an Entrust engineer yesterday about partitioned CRLs (this is where you can break it down my something such as size). The only CA that currently do this to my knowledge is Entrust. I agree with Rich Salz's response. OCSP is a great way to go (and, Valicert offers an Apache plug-in). :-) Lorrayne __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
Hello Lorrayne, Thanks for your input. By any chance, do you know if i can use OCSP with an Entrust CA (instead of CRLs)? Regards, Alec From Schaefer,Lorrayne J. [EMAIL PROTECTED] on 12 December 2001 9:07:02 To : [EMAIL PROTECTED] Copy To : [EMAIL PROTECTED] Subject : Re: Multiple CRLs with same CA Hi everyone. I was chatting with an Entrust engineer yesterday about partitioned CRLs (this is where you can break it down my something such as size). The only CA that currently do this to my knowledge is Entrust. I agree with Rich Salz's response. OCSP is a great way to go (and, Valicert offers an Apache plug-in). :-) Lorrayne __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Alec Barea PKI engineering team Equant Tel: +1 514 847-3436 CVS: 225 3436 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
Does Valicert support the various Entrust CRL extensions and partitioning? If not, then they're useless for this problem. /r$ -- Zolera Systems, Your Key to Online Integrity Securing Web services: XML, SOAP, Dig-sig, Encryption http://www.zolera.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Multiple CRLs with same CA
Hello there, Is mod_ssl supporting having multiple CRLs for 1 CA? It seems it's not, and that's very anoying in my situation. I'm using Entrust PKI software which splits the CRL list when it reaches a defined size (for scalability). mod_ssl seems to check only the first CRL and don't care about the others, which means that users with revocated certificates can use them... Regards, Alec Alec Barea PKI engineering team Equant Tel: +1 514 847-3436 CVS: 225 3436 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
On Tue, Dec 11, 2001 at 05:32:42PM -0500, [EMAIL PROTECTED] wrote: Hello there, Is mod_ssl supporting having multiple CRLs for 1 CA? It seems it's not, and that's very anoying in my situation. I'm using Entrust PKI software which splits the CRL list when it reaches a defined size (for scalability). mod_ssl seems to check only the first CRL and don't care about the others, which means that users with revocated certificates can use them... Hmmm - perhaps you could use mod_authz_ldap - AFAICT it should be a useable solution in an Entrust setup. vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
Hello Mads, Thanks for your answer. I took a look to the web page of mod_authz_ldap but couldn't figure out how it could help me, can you explain me a bit more your thoughs? Regards, Alec From Mads Toftum [EMAIL PROTECTED] on 11 December 2001 23:45:53 To : [EMAIL PROTECTED] Subject : Re: Multiple CRLs with same CA On Tue, Dec 11, 2001 at 05:32:42PM -0500, [EMAIL PROTECTED] wrote: Hello there, Is mod_ssl supporting having multiple CRLs for 1 CA? It seems it's not, and that's very anoying in my situation. I'm using Entrust PKI software which splits the CRL list when it reaches a defined size (for scalability). mod_ssl seems to check only the first CRL and don't care about the others, which means that users with revocated certificates can use them... Hmmm - perhaps you could use mod_authz_ldap - AFAICT it should be a useable solution in an Entrust setup. vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Alec Barea PKI engineering team Equant Tel: +1 514 847-3436 CVS: 225 3436 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re: Importing Self-signed CA into Netscape Browser
Have you created your CA-Certificate with the steps in http://www.modssl.org/docs/2.8/ssl_faq.html#ToC29 ? Then you have the certificate in the right format. I don't know if it works under Linux/Unix if you call a certificate from a file-URL (in Windump it doesn't), try to request it via http and the loadcacert.cgi (so that the correct mime-type is transmitted). After that Netscape brings up a Window to install the Certificate automatically and no password is required. Here the installation process of the cert with pictures (but in german language): Netscape 4: http://www.weisshuhn.de/security/ssl/netscape.html Netscape 6: http://www.weisshuhn.de/security/ssl/ns6.html GreetingX, Alex --- George Walsh [EMAIL PROTECTED] schrieb: Thanks for taking the trouble to respond to my apparent thick-mindedness, Alex! I pointed the URL to the actual test file containing the certificate: in this case file:///opt/apache/conf/ssl.crt/ca.crt. Then, I hit on the security icon and asked to import the certificate. It asks for a password(which I left blank) and then the name of the file - indicating an *.p12 extension. However, it will only find the file without the extensio, of course. This suggests to me that some kind of conversion is necessary? If I ask to look for certificates accepted (in any category!) nothing shows except the commercial CAs. Can you provide me with a further step up? Maybe I need to go back and recreate the certificates in encryted form??? Thanks, Alex. George Alex Pircher [EMAIL PROTECTED] wrote: Can you provide the URL of loadcacert.cgi? If SSL is enabled the mime-type for certificates is ordinary correctly set in the httpd.conf. So actually you don't need loadcacert.cgi, you just have to point your Browser to the URL of the certificate. This worked for me without problems. GreetingX, Alex I prepared the CAs using the make certificate TYPE=custom option. Both the server and the CA files look fine to me and are in their proper pews. There were warnings about security depth being 0, but that is to be expected during the creation process. In the mod_ssl documentation the instruction asks that I 'fire up' Communicator and use the Perl script loadcacert.cgi in the pkg.contrib directory to load the CA into the browser. Then I have to 'walk through the dialog boxes'. Well, this is all too simple for me to comprehend. I can execute the script file and it assigns the x509 type, determines the length and prints out the certificate data, but that doesn't get into Communicator, so nothing really happens. How do I tie the script output into Communicator to trigger what should be happening? Or is there a more straightforward way??? Thanks, George Walsh, Managing Director Travel Seewise Pacific Corp -- George Walsh, Managing Director, Travel Seewise Pacific Corp Vancouver Canada __ Do You Yahoo!? Gesendet von Yahoo! Mail - http://mail.yahoo.de
Re: Importing Self-signed CA into Netscape Browser
Can you provide the URL of loadcacert.cgi? If SSL is enabled the mime-type for certificates is ordinary correctly set in the httpd.conf. So actually you don't need loadcacert.cgi, you just have to point your Browser to the URL of the certificate. This worked for me without problems. GreetingX, Alex I prepared the CAs using the make certificate TYPE=custom option. Both the server and the CA files look fine to me and are in their proper pews. There were warnings about security depth being 0, but that is to be expected during the creation process. In the mod_ssl documentation the instruction asks that I 'fire up' Communicator and use the Perl script loadcacert.cgi in the pkg.contrib directory to load the CA into the browser. Then I have to 'walk through the dialog boxes'. Well, this is all too simple for me to comprehend. I can execute the script file and it assigns the x509 type, determines the length and prints out the certificate data, but that doesn't get into Communicator, so nothing really happens. How do I tie the script output into Communicator to trigger what should be happening? Or is there a more straightforward way??? Thanks, George Walsh, Managing Director Travel Seewise Pacific Corp -- George Walsh, Managing Director, Travel Seewise Pacific Corp Vancouver Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Do You Yahoo!? Gesendet von Yahoo! Mail - http://mail.yahoo.de __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re: Importing Self-signed CA into Netscape Browser
Thanks for taking the trouble to respond to my apparent thick-mindedness, Alex! I pointed the URL to the actual test file containing the certificate: in this case file:///opt/apache/conf/ssl.crt/ca.crt. Then, I hit on the security icon and asked to import the certificate. It asks for a password(which I left blank) and then the name of the file - indicating an *.p12 extension. However, it will only find the file without the extensio, of course. This suggests to me that some kind of conversion is necessary? If I ask to look for certificates accepted (in any category!) nothing shows except the commercial CAs. Can you provide me with a further step up? Maybe I need to go back and recreate the certificates in encryted form??? Thanks, Alex. George Alex Pircher [EMAIL PROTECTED] wrote: Can you provide the URL of loadcacert.cgi? If SSL is enabled the mime-type for certificates is ordinary correctly set in the httpd.conf. So actually you don't need loadcacert.cgi, you just have to point your Browser to the URL of the certificate. This worked for me without problems. GreetingX, Alex I prepared the CAs using the make certificate TYPE=custom option. Both the server and the CA files look fine to me and are in their proper pews. There were warnings about security depth being 0, but that is to be expected during the creation process. In the mod_ssl documentation the instruction asks that I 'fire up' Communicator and use the Perl script loadcacert.cgi in the pkg.contrib directory to load the CA into the browser. Then I have to 'walk through the dialog boxes'. Well, this is all too simple for me to comprehend. I can execute the script file and it assigns the x509 type, determines the length and prints out the certificate data, but that doesn't get into Communicator, so nothing really happens. How do I tie the script output into Communicator to trigger what should be happening? Or is there a more straightforward way??? Thanks, George Walsh, Managing Director Travel Seewise Pacific Corp -- George Walsh, Managing Director, Travel Seewise Pacific Corp Vancouver Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Do You Yahoo!? Gesendet von Yahoo! Mail - http://mail.yahoo.de __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- George Walsh, Managing Director, Travel Seewise Pacific Corp Vancouver Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Importing Self-signed CA into Netscape Browser
I prepared the CAs using the make certificate TYPE=custom option. Both the server and the CA files look fine to me and are in their proper pews. There were warnings about security depth being 0, but that is to be expected during the creation process. In the mod_ssl documentation the instruction asks that I 'fire up' Communicator and use the Perl script loadcacert.cgi in the pkg.contrib directory to load the CA into the browser. Then I have to 'walk through the dialog boxes'. Well, this is all too simple for me to comprehend. I can execute the script file and it assigns the x509 type, determines the length and prints out the certificate data, but that doesn't get into Communicator, so nothing really happens. How do I tie the script output into Communicator to trigger what should be happening? Or is there a more straightforward way??? Thanks, George Walsh, Managing Director Travel Seewise Pacific Corp -- George Walsh, Managing Director, Travel Seewise Pacific Corp Vancouver Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
expired CA certificate
what's the best way to renew an expired, self-signed CA certificate? i'd like to be able to automate the steps that users (https, imaps with Netscape and Outlook) will have to go through during the renewal process so, they don't have to find the old CA certificate in their programs and delete it. can Certificate Revocation Lists be used for this? best regards, -- aspa __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Does this CA process make sense?
On 11 Jul 2001, at 9:51, Lutz Jaenicke wrote: On Tue, Jul 10, 2001 at 06:12:09PM -0400, Dan Langille wrote: ... I imported iestuff.p12 into my MSIE browser and select that certificate when prompted by the browser. I then used the following SSL related values in my SSL vhost: SSLEngine on SSLCertificateFile /home/dan/CA/demoCA/cacert.pem SSLCertificateKeyFile /home/dan/CA/demoCA/private/cakey.key SSLCACertificatePath/home/dan/CA/demoCA/ SSLCACertificateFile/home/dan/CA/demoCA/cacert.pem Location /securelocation SSLVerifyClient require SSLVerifyDepth 1 /Location Note that I'm using the CA certificate and key for the SSL and the SSLCA information. Does that make sense? I tried this: SSLCACertificatePath/home/dan/CA/ SSLCACertificateFile/home/dan/CA/newcert.pem But if I use that combination, my browser certificate is not listed in the Client Authentication dialog box presented by the browser when I go to /securelocation. Why? What have I misunderstood? You should use three distinct certificates (and corresponding private keys): * The CA certificate. You already have one, use it with SSLCACertificateFile SSLCACertificatePath/home/dan/CA/demoCA/ SSLCACertificateFile/home/dan/CA/demoCA/cacert.pem * The server's certificate. You don't have one by now. Create a new one signed from your CA. Issue it for CommonName (CN) being the FQDN (fully qualified domain name) of your server: Use it with mv newkey.pem server_key.pem mv newcert.pem server_cert.pem SSLCertificateFile /path/to/server_cert.pem SSLCertificateKeyFile /path/to/server_key.pem SSLCertificateFile /home/dan/CA/server_cert.pem SSLCertificateKeyFile /home/dan/CA/server_key.pem * The client key. You already put it into iestuff.p12... Done. Thank you. That's working fine now. I see what I was doing wrong. I was swapping the server and CA certificates. That's why the browser did not list any certificates when I visited the secure area of the site. cheers -- Dan Langille pgpkey - finger [EMAIL PROTECTED] | http://unixathome.org/finger.php __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Does this CA process make sense?
On Tue, Jul 10, 2001 at 06:12:09PM -0400, Dan Langille wrote: ... I imported iestuff.p12 into my MSIE browser and select that certificate when prompted by the browser. I then used the following SSL related values in my SSL vhost: SSLEngine on SSLCertificateFile /home/dan/CA/demoCA/cacert.pem SSLCertificateKeyFile /home/dan/CA/demoCA/private/cakey.key SSLCACertificatePath/home/dan/CA/demoCA/ SSLCACertificateFile/home/dan/CA/demoCA/cacert.pem Location /securelocation SSLVerifyClient require SSLVerifyDepth 1 /Location Note that I'm using the CA certificate and key for the SSL and the SSLCA information. Does that make sense? I tried this: SSLCACertificatePath/home/dan/CA/ SSLCACertificateFile/home/dan/CA/newcert.pem But if I use that combination, my browser certificate is not listed in the Client Authentication dialog box presented by the browser when I go to /securelocation. Why? What have I misunderstood? You should use three distinct certificates (and corresponding private keys): * The CA certificate. You already have one, use it with SSLCACertificateFile * The server's certificate. You don't have one by now. Create a new one signed from your CA. Issue it for CommonName (CN) being the FQDN (fully qualified domain name) of your server: Use it with mv newkey.pem server_key.pem mv newcert.pem server_cert.pem SSLCertificateFile /path/to/server_cert.pem SSLCertificateKeyFile /path/to/server_key.pem * The client key. You already put it into iestuff.p12... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Does this CA process make sense?
I'm using the CA.pl script provided with openssl in order to create a CA and then produce a self-signed certificate. I'm just looking for confirmation that I'm going through the correct steps and putting the right values into Apache. All commands are issued from /home/dan/CA. The Apache directives point at the files in question rather than their ultimate destination off somewhere else. This is just for testing. Kids, don't do this at home perl CA.pl -newca perl CA.pl -newreq perl CA.pl -sign openssl rsa newreq.pem newkey.pem openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -out iestuff.p12 I imported iestuff.p12 into my MSIE browser and select that certificate when prompted by the browser. I then used the following SSL related values in my SSL vhost: SSLEngine on SSLCertificateFile /home/dan/CA/demoCA/cacert.pem SSLCertificateKeyFile /home/dan/CA/demoCA/private/cakey.key SSLCACertificatePath/home/dan/CA/demoCA/ SSLCACertificateFile/home/dan/CA/demoCA/cacert.pem Location /securelocation SSLVerifyClient require SSLVerifyDepth 1 /Location Note that I'm using the CA certificate and key for the SSL and the SSLCA information. Does that make sense? I tried this: SSLCACertificatePath/home/dan/CA/ SSLCACertificateFile/home/dan/CA/newcert.pem But if I use that combination, my browser certificate is not listed in the Client Authentication dialog box presented by the browser when I go to /securelocation. Why? What have I misunderstood? thanks. -- Dan Langille pgpkey - finger [EMAIL PROTECTED] | http://unixathome.org/finger.php __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
Hi Damon, Could you please put in the corrected part of your httpd.conf file - all the directives that are relavant to SSL connections. I am interested in looking at the corrected piece ( and commented pieces as well). Rajaram. To: [EMAIL PROTECTED] cc: Subject:Re: SSLCertificateChain file for Intermediate CA Damon Maria [EMAIL PROTECTED] 05/22/01 08:42 PM Please respond to modssl-users --+ I think I've solved my problem and would just like to post the answer for someone else's reference. The offending line is: SSLProtocol -all +SSLv2 If I take that line out mod_ssl can load the certificate chain. I presume there's a good reason for this (chains require SSLv3 at a guess)? SSLProtocol was originally added because we just couldn't get around problems with MSIE 4.x connecting with SSL. Although it is a big hack, the suggested SSL changes in the mod_ssl FAQ just didn't work for us. I've since removed the SSLProtocol, added a SSL session cache and added +eNULL to the end of the SSLCipherSuite. Now I'm just waiting to see if MSIE 4.x users can still connect. I've also recently seen talk of SSLRequire %{SSL_CIPHER} = 128 solving the MSIE SGC bug. Has someone confirmed this to be true? thanks for the help, Damon. -- VirtualHost ServerName www.motorweb.co.nz SSLEngine on # The following hopefully get around the MSIE 4.x and 5.0 SGC bug # SSLCipherSuite ALL:!ADH:!EXPORT56:!SSLv3+EXP:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP # The following defintely gets around the MSIE 4.x and 5.0 SGC bug but SSLProtocol -all +SSLv2 SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key # SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate_ca.crt # SSLLog /var/log/httpd/ssl_engine_log # SSLLogLevel debug SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /var/log/httpd/ssl_request_log \ %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
[EMAIL PROTECTED] wrote: Hi Damon, Could you please put in the corrected part of your httpd.conf file - all the directives that are relavant to SSL connections. OK, this is for the site https://www.motorweb.co.nz.. Try it and you may I say. First off, I'm using a Verisign Global ID certificate (ie. SGC). What I have currently works with MSIE 5+ and NS 4.7 (haven't tried other NS's). It does work with MSIE 4 but this version of IE doesn't like the Versign Global certificate (it can't complete the chain) and therefore says it doesn't trust our site. This is despite the fact that Verisign says the Global ID's work with MSIE 4+, so I must still have something wrong. At the bottom of this message is the ssl_engine_log of the server starting up and MSIE 4.7 trying to connect. Can someone point out why the intermediate_ca doesn't seem to get to IE? Is it because IE is connecting with SSLv2? Anyway, here's the relevant lines from my httpd.conf --- httpd.conf --- Listen 443 # SSL session cache is required to get around MSIE bugs SSLSessionCache dbm:/var/log/httpd/ssl_cache SSLSessionCacheTimeout 300 VirtualHost 210.55.172.141:443 ServerName www.motorweb.co.nz SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate-ca.crt SSLLog /var/log/httpd/ssl_engine_log SSLLogLevel trace SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /var/log/httpd/ssl_request_log \ %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b /VirtualHost --- ssl_engine_log --- Init: Loading certificate private key of SSL-aware server www.motorweb.co.nz:443 Init: (www.motorweb.co.nz:443) unencrypted RSA private key - pass phrase not required Init: Configuring server www.motorweb.co.nz:443 for SSL protocol Init: (www.motorweb.co.nz:443) Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1) Init: (www.motorweb.co.nz:443) Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL] Init: (www.motorweb.co.nz:443) Configuring RSA server certificate Init: (www.motorweb.co.nz:443) RSA server certificate enables Server Gated Cryptography (SGC) Init: (www.motorweb.co.nz:443) Configuring RSA server private key Init: (www.motorweb.co.nz:443) Configuring server certificate chain (1 CA certificate) Connection to child 2 established (server www.motorweb.co.nz:443, client 210.55.82.41) Seeding PRNG with 0 bytes of entropy OpenSSL: Handshake: start OpenSSL: Loop: before/accept initialization OpenSSL: Loop: SSLv2 read client hello A OpenSSL: Loop: SSLv2 write server hello A OpenSSL: Loop: SSLv2 read client master key A OpenSSL: Loop: SSLv2 server start encryption OpenSSL: Loop: SSLv2 write server verify A OpenSSL: Loop: SSLv2 read client finished A OpenSSL: Loop: SSLv2 write request certificate A OpenSSL: Loop: SSLv2 write server finished A Inter-Process Session Cache: request=SET status=OK id=82EBC78C51D8403F32DA3EA9C62507DC timeout=299s (session caching) OpenSSL: Handshake: done Connection: Client IP: 210.55.82.41, Protocol: SSLv2, Cipher: EXP-RC4-MD5 (40/128 bits) Connection to child 2 closed with standard shutdown (server www.motorweb.co.nz:443, client 210.55.82.41) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: R: Cert signed by own CA and IE
Genkin. I think I know what your problem is. You must add the issuer of the certificate to the certificate chain. The problem is that IE doesn't have the ROOT (isuuer) for the certificate and it must have the entire chain to consider it trusted. Place the issuer (I think Thpoon CA) to the certificate chain (usually ca-bundle.pem) so mod_ssl has a way to offer the entire certification chain to the browser. Right now this is not happening as IE can not retrieve the ROOT certificate from the sesion. Hope it works, drop me a line Diego - Original Message - From: Arcady Genkin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, May 16, 2001 10:01 PM Subject: Re: R: Cert signed by own CA and IE Andrea Cerrito [EMAIL PROTECTED] writes: Connecting to a secure site with a certificate signed by own CA, IE seems to provide no obvious way of permanently adding the cert to the browser's configuration. As a result, a warning that The security certificate is issued by a company you have not chosen to trust... is displayed every time I'm trying to establish a connection. Is there a fool-proof way to permanently add a certificate or tell IE that the CA is to be trusted? Show Certificate / Install Certificate. I tried that, and it didn't work. It told me that the certificate was installed successfully, but once I quit IE, restart it, and load the page again, it displays the same warning again. The minimal html page I'm experimenting with is at https://www.thpoon.com If anyone would try to install the certificate from it in IE: maybe I did something wrong with configuration? I wasn't able to install it. Can u print your conf? You mean from httpd.conf? Since it's huge, I've posted it at http://www.thpoon.com/tmp/httpd.conf rather than sending to the list. The SSL-related stuff is at the bottom of it. Thanks! p.s. This is a repost, since I have replied from a different email address than the one I've subscribed from and I'm afraid that it didn't come through. Sorry if this is a dupe. -- Arcady Genkin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
R: R: Cert signed by own CA and IE
Sorry for delay, I was on beach... :) I saw you solved your problem. Great. --- Cordiali saluti / Best regards Andrea Cerrito ^^ Net.Admin @ Centro MultiMediale di Terni S.p.A. P.zzale Bosco 3A 05100 Terni IT Tel. +39 744 5441330 Fax. +39 744 5441372 -Messaggio originale- Da: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Per conto di Paul-Catalin Oros Inviato: venerdi 18 maggio 2001 17.59 A: [EMAIL PROTECTED] Oggetto: Re: R: Cert signed by own CA and IE Hi Arcady! Have you solved your problem? I wasw able to install your Certificate, after I installed your self-signed CA certificate. Is it possible this to be the missing step in your testing? The CA cert has to be added to your root auth., then you'll be able to install the actual server certificate. Hope this help, Paul PS: I am using IE 5.0 On Wed, 16 May 2001, Arcady Genkin wrote: Andrea Cerrito [EMAIL PROTECTED] writes: Connecting to a secure site with a certificate signed by own CA, IE seems to provide no obvious way of permanently adding the cert to the browser's configuration. As a result, a warning that The security certificate is issued by a company you have not chosen to trust... is displayed every time I'm trying to establish a connection. Is there a fool-proof way to permanently add a certificate or tell IE that the CA is to be trusted? Show Certificate / Install Certificate. I tried that, and it didn't work. It told me that the certificate was installed successfully, but once I quit IE, restart it, and load the page again, it displays the same warning again. The minimal html page I'm experimenting with is at https://www.thpoon.com If anyone would try to install the certificate from it in IE: maybe I did something wrong with configuration? I wasn't able to install it. Can u print your conf? You mean from httpd.conf? Since it's huge, I've posted it at http://www.thpoon.com/tmp/httpd.conf rather than sending to the list. The SSL-related stuff is at the bottom of it. Thanks! p.s. This is a repost, since I have replied from a different email address than the one I've subscribed from and I'm afraid that it didn't come through. Sorry if this is a dupe. -- Arcady Genkin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Bills travel through the mail at twice the speed of checks __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
Without going through mod_ssl's source: did you try to put the complete chain into the ChainFile? Tried this, but it didn't make any difference. With respect to the error message, mod_ssl can write more messages than that into e.g. an ssl_engine_log. Did you check all possible logfiles? I've checked, even with SSLLogLevel debug I couldn't get anymore out of it. I've since looked through the mod_ssl source and if there is any kind of error while trying to load the ChainFile then the generic Failed to configure CA certificate chain! messge is produced. Not very helpful really since there are many possibilities. I have also tried using SSLCACertificateFile instead of and in conjunction with SSLCertificateChainFile. This was described at http://www.verisign.com/support/tlc/class3_install_docs/ssleay/v00g.html as the instructions for ApacheSSL rather than mod_ssl. If used instead of SSLCertificateChainFile no init errors happen and the following is reported in ssl_engine_log: [20/May/2001 15:10:19 11541] [trace] Init: (www.motorweb.co.nz:443) Configuring client authentication [20/May/2001 15:10:19 11541] [trace] CA certificate: /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign So it appears there is nothing wrong with my Intermediate Certificate (since that's what the trace is outputing) or Apache's ability to read it. Why oh why then doesn't it work with SSLCertificateChainFile, agh! Thanks for the help and suggestions, but I'm still stuck. One thing I haven't mentioned previously is that I'm running Apache 1.3.12 and mod_ssl 2.6. But I presume there shouldn't be a problem with either of these versions. regards, Damon. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
On Sun, 20 May 2001, Damon Maria wrote: One thing I haven't mentioned previously is that I'm running Apache 1.3.12 and mod_ssl 2.6. But I presume there shouldn't be a problem with either of these versions. Well... Can't hurt to upgrade, can it? I'm running Apache 1.3.19 with mod_ssl 2.8.1-1.6.0 (weird versioning courtesy of the RPM packager), and it uses the SSLCertificateChain thang without problems. -- Regards, Juha PGP fingerprint: B7E1 CC52 5FCA 9756 B502 10C8 4CD8 B066 12F3 9544 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
Juha Saarinen wrote: On Sun, 20 May 2001, Damon Maria wrote: One thing I haven't mentioned previously is that I'm running Apache 1.3.12 and mod_ssl 2.6. But I presume there shouldn't be a problem with either of these versions. Well... Can't hurt to upgrade, can it? I'm running Apache 1.3.19 with mod_ssl 2.8.1-1.6.0 (weird versioning courtesy of the RPM packager), and it uses the SSLCertificateChain thang without problems. I may as well, I'm running out of other options. thanks again for the help, Damon. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
On Fri, May 18, 2001 at 11:58:02AM +1200, Damon Maria wrote: Since I haven't gotten too much of a response yet (expect for thanks to Juha) I'll post my VirtualHost in httpd.conf, which I probably should have done in the first place. If I uncomment the SSLCertificateChainFile line then the following appears in the log and apache won't start... [error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA certificate chain! I've copied my original message at the bottom of this one which contains the contents of /etc/httpd/conf/ssl.crt/intermediate_ca.crt (as I got it from Verisign's site). Without going through mod_ssl's source: did you try to put the complete chain into the ChainFile? The server cert is in its own file. For my server (www.aet.tu-cottbus.de) I have an intermediate and a root CA certificate. Both are concatenated together into the chain file. With respect to the error message, mod_ssl can write more messages than that into e.g. an ssl_engine_log. Did you check all possible logfiles? Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
AW: SSLCertificateChain file for Intermediate CA
Lutz, when I try to access your site with Internet Explorer 5.5, IE tells me that it cannot verify the certificate. German error message is: Das Zertifikat wurde von einer Firma ausgestellt, die Sie nicht als vertrauenswürdig eingestuft haben. Untersuchen Sie das Zertifikat um festzustellen, ob Sie der ausstellenden Institution vertrauen möchten. -Ursprüngliche Nachricht- Von: Lutz Jaenicke [SMTP:[EMAIL PROTECTED]] Gesendet am: Freitag, 18. Mai 2001 10:50 An: [EMAIL PROTECTED] Betreff: Re: SSLCertificateChain file for Intermediate CA On Fri, May 18, 2001 at 11:58:02AM +1200, Damon Maria wrote: Since I haven't gotten too much of a response yet (expect for thanks to Juha) I'll post my VirtualHost in httpd.conf, which I probably should have done in the first place. If I uncomment the SSLCertificateChainFile line then the following appears in the log and apache won't start... [error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA certificate chain! I've copied my original message at the bottom of this one which contains the contents of /etc/httpd/conf/ssl.crt/intermediate_ca.crt (as I got it from Verisign's site). Without going through mod_ssl's source: did you try to put the complete chain into the ChainFile? The server cert is in its own file. For my server (www.aet.tu-cottbus.de) I have an intermediate and a root CA certificate. Both are concatenated together into the chain file. With respect to the error message, mod_ssl can write more messages than that into e.g. an ssl_engine_log. Did you check all possible logfiles? Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
On Fri, May 18, 2001 at 01:21:31PM +0200, Henning von Bargen wrote: Lutz, when I try to access your site with Internet Explorer 5.5, IE tells me that it cannot verify the certificate. German error message is: Das Zertifikat wurde von einer Firma ausgestellt, die Sie nicht als vertrauenswürdig eingestuft haben. Untersuchen Sie das Zertifikat um festzustellen, ob Sie der ausstellenden Institution vertrauen möchten. Yes, that is true. Our certificate was issued by our university's computer center (intermediate CA) and the root CA is the DFN (german research network, the provider for the german universities and scientific institutions). emws1 26: openssl s_client -connect www.aet.tu-cottbus.de:443 CONNECTED(0003) depth=2 /C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification [EMAIL PROTECTED] verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet Cottbus/OU=Allgemeine Elektrotechnik und Numerische [EMAIL PROTECTED] i:/C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet [EMAIL PROTECTED] 1 s:/C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet [EMAIL PROTECTED] i:/C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification [EMAIL PROTECTED] 2 s:/C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification [EMAIL PROTECTED] i:/C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification [EMAIL PROTECTED] The message IE shows is due to the fact, that DFN-PCA is not part of the standard CA bundle. When you import the DFN-PCA certificate, the problem will go away: http://www.pca.dfn.de/dfnpca/certify/ssl/pca-key.html (I also have not initialized the trusted CA storage for openssl s_client, which correspondingly complains about self signed certificate in certificate chain). Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: R: Cert signed by own CA and IE
Hi Arcady! Have you solved your problem? I wasw able to install your Certificate, after I installed your self-signed CA certificate. Is it possible this to be the missing step in your testing? The CA cert has to be added to your root auth., then you'll be able to install the actual server certificate. Hope this help, Paul PS: I am using IE 5.0 On Wed, 16 May 2001, Arcady Genkin wrote: Andrea Cerrito [EMAIL PROTECTED] writes: Connecting to a secure site with a certificate signed by own CA, IE seems to provide no obvious way of permanently adding the cert to the browser's configuration. As a result, a warning that The security certificate is issued by a company you have not chosen to trust... is displayed every time I'm trying to establish a connection. Is there a fool-proof way to permanently add a certificate or tell IE that the CA is to be trusted? Show Certificate / Install Certificate. I tried that, and it didn't work. It told me that the certificate was installed successfully, but once I quit IE, restart it, and load the page again, it displays the same warning again. The minimal html page I'm experimenting with is at https://www.thpoon.com If anyone would try to install the certificate from it in IE: maybe I did something wrong with configuration? I wasn't able to install it. Can u print your conf? You mean from httpd.conf? Since it's huge, I've posted it at http://www.thpoon.com/tmp/httpd.conf rather than sending to the list. The SSL-related stuff is at the bottom of it. Thanks! p.s. This is a repost, since I have replied from a different email address than the one I've subscribed from and I'm afraid that it didn't come through. Sorry if this is a dupe. -- Arcady Genkin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Bills travel through the mail at twice the speed of checks __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: R: Cert signed by own CA and IE
Paul-Catalin Oros [EMAIL PROTECTED] writes: Have you solved your problem? I wasw able to install your Certificate, after I installed your self-signed CA certificate. Is it possible this to be the missing step in your testing? The CA cert has to be added to your root auth., then you'll be able to install the actual server certificate. Yes, it seems that I have solved the problem by pointing SSLCertificateChainFile to my ca.crt, with off-list help from another list member. It now works fine. In my opinion the easiest way of configuring IE to access sites with sertificates singed by own CAs is to put the CA's certificate in a URL and let the users click on it: the browser will pop up a dialogue to install a new root authority cert, and after that all is done. Thanks, -- Arcady Genkin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Being one's own CA for a University computer lab
Arcady Genkin wrote: The documentation states that being one's own CA is insecure in the Internet environment, while is acceptable on the intra-net. Could anyone explain the issues implied by that statement? SSL is not less secure if you are your own CA, at least from a technical point of view. But the problem is that a CA is supposed to be a mutually trusted neutral third party, that can guarantee to the server that the client is who it says it is, and to the client that the server is who it says it is. If you are your own CA, chances are no one on the internet is going to trust you. In your situation though, I think it's of little or no importance. Also, to what extent is the user inconvenienced by an SSL site using certificate signed by a non-well-known authority? Are the browsers cooperative when it comes to adding such an authority to the list of known CAs? I wouldn't count on Netscape or Microsoft to include your university's self signed root CA certificate :-) Still, that's not really a problem. The only inconvenience is that clients will have to explicitely import you own root CA certificate just once. We are planning on setting up a secure site for a university's computer lab for the instructors and students to use. So, the context is non-commercial environment where the users can trust us to provide valid certificates. They'll be connecting both via the local network and the Internet, though, and we'd like to know what we are risking by going the way of being our own CA. From what you tell, I'd say being your own CA is a very good solution. Regards, Jan __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
I presume you're not trying to explicitly construct the server certificate chain that is being sent to the browser, together with the actual server cert? This is what I'm trying to do. I'm trying to send all the certificates in the chain (expect the root) to the browser. This includes my server certificate and the intermediate certificate. If you try https://www.motorweb.co.nz/ in IE (I'm using 5.0) and click on the padlock, look at the Certification Path. You'll see there is the Primary CA, the www.verisign.com Intermediate CA and then the www.motorweb.co.nz certificate. IE contains the Primary and Intermediate CA and so works fine. Other browsers don't contain the Intermediate CA and so can't complete the chain. I need to get mod_ssl to serve up the Intermediate CA, and that's what SSLCertificateChainFile is supposed to do. But adding that into httpd.conf causes mod_ssl to die on startup: Failed to configure CA certificate chain! regards, Damon. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
Since I haven't gotten too much of a response yet (expect for thanks to Juha) I'll post my VirtualHost in httpd.conf, which I probably should have done in the first place. If I uncomment the SSLCertificateChainFile line then the following appears in the log and apache won't start... [error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA certificate chain! I've copied my original message at the bottom of this one which contains the contents of /etc/httpd/conf/ssl.crt/intermediate_ca.crt (as I got it from Verisign's site). I've seen this solution to the Global ID Intermediate CA problem documented all over the web, but can't get it to work. There must be somethng obviously wrong with what I've done. yours in desperation, Damon. -- VirtualHost ServerName www.motorweb.co.nz SSLEngine on # The following hopefully get around the MSIE 4.x and 5.0 SGC bug # SSLCipherSuite ALL:!ADH:!EXPORT56:!SSLv3+EXP:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP # The following defintely gets around the MSIE 4.x and 5.0 SGC bug but SSLProtocol -all +SSLv2 SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key # SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate_ca.crt # SSLLog /var/log/httpd/ssl_engine_log # SSLLogLevel debug SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /var/log/httpd/ssl_request_log \ %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b Original Message Subject: SSLCertificateChain file for Intermediate CA Date: Thu, 17 May 2001 15:47:46 +1200 From: Damon Maria [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] I'm using a Verisign Global ID and therefore need to configure modssl to serve up the Intermediate CA. I've followed the various instructions I've found for this but with no success. I downloaded the Intermediate CA and saved it under intermediate_ca.crt (I've listed it at the bottom of this message). I then added... SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate_ca.crt into my VirtualHost next to all the other SSL* settings. But if I start Apache with this setting it reports... [error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA certificate chain! I've tried SSLLogLevel debug but this doesn't produce any more information. I've been trying for ages and am getting desperate, can someone help me out. thanks in advance, Damon Maria. -BEGIN CERTIFICATE- MIIEMTCCA5qgAwIBAgIQI2yXHivGDQv5dGDe8QjDwzANBgkqhkiG9w0BAQIFADBfMQswCQYD VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVi bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTcwNDE3MDAwMDAwWhcN MDQwMTA3MjM1OTU5WjCBujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUG A1UECxMOVmVyaVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwg U2VydmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMgSW5j b3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEA2IKA6NYZAn0fhRg5JaJlK+G/1AXTvOY2O6rwTGxbtueqPHNFVbLx veqXQu2aNAoV1Klc9UAl3dkHwTKydWzEyruj/lYncUOqY/UwPpMo5frxCTvzt01OOfdcSVq4 wR3Tsor+cDCVQsv+K1GLWjw6+SJPkLICp1OcTzTnqwSye28CAwEAAaOCAZAwggGMMA8GA1Ud EwQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjAgBgNVHSUEGTAX BgpghkgBhvhFAQgBBglghkgBhvhCBAEwggE1BgNVHSAEggEsMIIBKDCCASQGC2CGSAGG+EUB BwEBMIIBEzAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzCB5gYI KwYBBQUHAgIwgdkwFRYOVmVyaVNpZ24sIEluYy4wAwIBARqBv1ZlcmlTaWduJ3MgQ2VydGlm aWNhdGlvbiBQcmFjdGljZSBTdGF0ZW1lbnQsIHd3dy52ZXJpc2lnbi5jb20vQ1BTLCBnb3Zl cm5zIHRoaXMgY2VydGlmaWNhdGUgJiBpcyBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJlbmNlIGhl cmVpbi4gU09NRSBXQVJSQU5USUVTIERJU0NMQUlNRUQgJiBMSUFCSUxJVFkgTFRELiAoYykx OTk3IFZlcmlTaWduMA0GCSqGSIb3DQEBAgUAA4GBALiMmMMrSPVyzWgNGrN0Y7uxWLaYRSLs EY3HTjOLYlohJGyawEK0Rak6+2fwkb4YH9VIGZNrjcs3S4bmfZv9jHiZ/4PC/NlVBp4xZkZ9 G3hg9FXUbFXIaWJwfE22iQYFm8hDjswMKNXRjM1GUOMxlmaSESQeSltLZl5lVR5fN5qu -END CERTIFICATE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]