Michael wrote:
>
> apache_ssl w/openssl 9.2b
>
> Everything was going fine. All of a sudden when I attempt
> ssl connection with NS 4.05, NS4.08 I get the message
>
> "The certificate is not approved for the attempted operation"
>
> NS is using PKCS#11 v2.0 lib version 4.0
>
> No problems with NS 3.0x, MSIE 4.01, they work fine.
>
> The only thing common to both non/working certs is that the
> non-working was newly generated. An older test certificate works
> fine. Can someone shed some light for me!? I have no clue what is
> happening or how to fix it.
>
The usual cause is an inappropriate netscape certificate type or
keyUsage extension. When a server certificate is signed you need to have
at least server for netscape certificate type (or leave it out) and
keyEncipherment for keyUsage (or leave it out).
Check the config file or post it and the certificate if you aren't sure.
Older versions of Netscape didn't check this, newer ones do.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
