Rich Salz wrote:
>
> > make sure you common name ie. www.yahoo.com in the cert is the
> > resolved dns name you are using to pull up the site. Also make sure
> > you have a server certificate or intermediate.ca configured.
>
> that's why I attached the data, so folks could see that I did that.
>
> I don't have basic constraints in my CA cert, nor do I have the EMAIL
> RDN in my subject DN. I'll try adding those.
The certificates wont verify under OpenSSL either.
The reason is that somehow you've managed to get sha1WithRSAEncryption
as the OID in the RSA encrypted DigestInfo structure instead of SHA1.
The only way to get this wrong is by doing things at a low level such as
using RSA_sign() with the wrong OID or even building the DigestInfo
manually and calling RSA_private_encrypt() on it. X509_sign() is the
preferred way to sign certificates.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
