Hector Jimenez Pensado wrote:
>
> Hi all,
>
> 5. I also convert the demoCA/cacert.pem to PKCS#12:
> openssl pkcs12 -export -in demoCA/cacert.pem -inkey private/cakey.pem -name
> "MY_ORG CA" -certfile demoCA/cacert.pem -out thecacert.pfx
>
DO NOT DO THIS! If you do this with users you end up giving them the CA
private key!! They can then impersonate the CA and issue certificates
with any details they want in them.
There are several ways to do this properly. In your description you
appear to have included cacert.pem in the PKCS#12 file which is OK. IE5
should automatically prompt you to add the CA certificate. Netscape
should auto add the CA certificate as untrusted: you then just have to
find it under signers and click the trust boxes.
Alternatively: you can strip any lines before the BEGIN and after END in
cacert.pem and import that file. You can create a link pointing to
cacert.pem that sends it as MIME type application/x-x509-ca-cert on a
server.
> The problems I have right now are:
>
> 1. With MSIE 5: when the server asks for a client
> certificate, a window apears telling me to select a certificate to
> send to the server, but none apears in the list, and I do have one
> imported in the Personal Store.
>
This is a server configuration issue: you need to tell the server that
you will accept client certificates from 'cacert.pem'. How you do this
depends on the server.
> 2.With Netscape: I try to connect to the server but it says, "The
> certificate
> is not aproved for the attempted operation".
This caused by problems with the server certificate or the server CA if
you get this message as soon as you attempt to connect. Usually
inappropriate certificate extensions: e.g. set up for SSL client.
> I go to the security tab, select Signers and the CA that I installed can be
> verified succesfully, but the certificate in Yours says: Certificate
> not trusted, reason that I think is because the above message apears.
No you get something different if thats the case. I assume you've set
the CA to be trusted for client certificates?
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
