Re: Verisign CA cert problem

2004-05-19 Thread Christopher McCrory
On Wed, 2004-05-19 at 09:46, Bill MacAllister wrote:
 Hello,
 
 I am having problems with a brand new Verisign 128 bit certificate that has 
 just be purchased.  I have installed the certificate and the intermediate 
 CA cert on an Apache 1.3.31/mod_ssl 2.8.17/openssl 0.9.7d instance.
 

Did you get a new intermediate cert (intermediate.crt) from Verisign
also?  This also goes in the apache config. directions somewhere on
verisigns site.  


 What I am seeing is the Netscape and Mozilla connect to the site just fine. 
 When I connect to the site with IE 6 the security window pops up telling be 
 that the certificate has either expired or is not valid yet.  When I look 
 at the certificate the intermediate CA cert that IE is using is the expired 
 cert that was installed with IE.  I tried removing the old intermediate CA 
 cert from IE altogether and it still will not load the intermediate CA cert 
 from my server.
 
 I am not really sure what to try at this point.   Oh, yes, Verisign support 
 has been pretty much useless.
 
 Help suggestions will be greatly appreciated.
 
 Bill
 
 +---
 | Bill MacAllister
 | 14219 Auburn Road
 | Grass Valley, CA 95949
 | 530-272-8555
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
-- 
Christopher McCrory
 The guy that keeps the servers running
 
[EMAIL PROTECTED]
 http://www.pricegrabber.com
 
Let's face it, there's no Hollow Earth, no robots, and
no 'mute rays.' And even if there were, waxed paper is
no defense.  I tried it.  Only tinfoil works.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


Re: Verisign CA cert problem

2004-05-19 Thread Bill MacAllister

--On Wednesday, May 19, 2004 10:50:44 AM -0700 Christopher McCrory 
[EMAIL PROTECTED] wrote:

On Wed, 2004-05-19 at 09:46, Bill MacAllister wrote:
Hello,
I am having problems with a brand new Verisign 128 bit certificate that
has  just be purchased.  I have installed the certificate and the
intermediate  CA cert on an Apache 1.3.31/mod_ssl 2.8.17/openssl 0.9.7d
instance.
Did you get a new intermediate cert (intermediate.crt) from Verisign
also?  This also goes in the apache config. directions somewhere on
verisigns site.
Yes.  The only certificate that has ever been on my servers is the new CA 
cert.

Actually there are multiple references on the Versign site:
http://www.verisign.com/support/install/apache/v00Mod.html#global
http://www.verisign.com/support/site/caReplacement.html
Of course, while both describe the same issue they suggest slightly 
different Apache directives.  Respectively the two suggestions are:

 SSLCertificateFile /etc/ssl/crt/public.crt
 SSLCertificateKeyFile /etc/ssl/crt/private.key
 SSLCertificateChainFile /etc/ssl/crt/intermediate.crt
and
 SSLCACertificateFile /etc/ssl/crt/intermediate.crt
I have tried both and neither method works for IE.
Bill

What I am seeing is the Netscape and Mozilla connect to the site just
fine.  When I connect to the site with IE 6 the security window pops up
telling be  that the certificate has either expired or is not valid yet.
When I look  at the certificate the intermediate CA cert that IE is
using is the expired  cert that was installed with IE.  I tried removing
the old intermediate CA  cert from IE altogether and it still will not
load the intermediate CA cert  from my server.
I am not really sure what to try at this point.   Oh, yes, Verisign
support  has been pretty much useless.
Help suggestions will be greatly appreciated.
Bill
+---
| Bill MacAllister
| 14219 Auburn Road
| Grass Valley, CA 95949
| 530-272-8555
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
--
Christopher McCrory
 The guy that keeps the servers running
[EMAIL PROTECTED]
 http://www.pricegrabber.com
Let's face it, there's no Hollow Earth, no robots, and
no 'mute rays.' And even if there were, waxed paper is
no defense.  I tried it.  Only tinfoil works.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

+---
| Bill MacAllister
| 14219 Auburn Road
| Grass Valley, CA 95949
| 530-272-8555
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]