Hector Jimenez Pensado wrote:
>
> > >
> > > 5. I also convert the demoCA/cacert.pem to PKCS#12:
> > > openssl pkcs12 -export -in demoCA/cacert.pem -inkey
> > private/cakey.pem -name
> > > "MY_ORG CA" -certfile demoCA/cacert.pem -out thecacert.pfx
> > >
> >
> > DO NOT DO THIS! If you do this with users you end up giving them the CA
> > private key!! They can then impersonate the CA and issue certificates
> > with any details they want in them.
>
> Ok, so do I just strip that of the command?(-certfile demoCA/cacert.pem)
> I just practically copied it from the FAQ.
>
Well I'm pretty sure that precise command appears nowhere in my FAQ but
I'll appologise publically if I'm wrong.
Its not the -cerfile thats the problem its the fact that you are using
the -inkey option to create a PKCS#12 file which includes the CA PRIVATE
KEY.
The examples in the FAQ unless I'm much mistaken use the private key
corresponding to the client certificate.
> > There are several ways to do this properly. In your description you
> > appear to have included cacert.pem in the PKCS#12 file which is OK. IE5
> > should automatically prompt you to add the CA certificate. Netscape
> > should auto add the CA certificate as untrusted: you then just have to
> > find it under signers and click the trust boxes.
>
> Ok but you just told me not to include that file.
>
> > Alternatively: you can strip any lines before the BEGIN and after END in
> > cacert.pem and import that file. You can create a link pointing to
> > cacert.pem that sends it as MIME type application/x-x509-ca-cert on a
> > server.
>
> Thats what I did, but did not strip off the BEGIN-END lines, did that affect
> anything?
>
No it shouldn't affect anything the browsers are quite tolerant of this
kind of thing. If it works at all then it will have done the right
thing.
> >
> > > 2.With Netscape: I try to connect to the server but it says, "The
> > > certificate
> > > is not aproved for the attempted operation".
> >
> > This caused by problems with the server certificate or the server CA if
> > you get this message as soon as you attempt to connect. Usually
> > inappropriate certificate extensions: e.g. set up for SSL client.
>
> Ok, So i have to add the nsCertType extensions when I create the CA, and
> also
> the servers certificate correct?
>
You don't need nsCertType in the CA, if its present it restricts the
usage to which the CA can be put. If its absent it can be used for any
purpose.
Similarly in the client certificate if you leave out nsCertType then it
cna be used for email, SSL client or SSL server use. The one exception
is object signing for which the extension must be present.
Anyway if you want to use nsCertType then these are the minimum values
you need:
SSL server or client CA: sslCA
SSL server certificate: server
SSL client certificate: client
> > > I go to the security tab, select Signers and the CA that I
> > installed can be
> > > verified succesfully, but the certificate in Yours says: Certificate
> > > not trusted, reason that I think is because the above message apears.
> >
> > No you get something different if thats the case. I assume you've set
> > the CA to be trusted for client certificates?
>
> How do I do this? When creating the CA with CA.sh? Again, I followed the
> FAQ.
>
Open the CA certificate under Signers and click on the edit box check
the box for client CA use if it isn't already set.
If you are still having problems then send me the output of:
openssl x509 -in cert.pem -text
for the CA certificate, the server certificate and a sample client
certificate and I'll if anything looks wrong.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
