Scott,
Client authentication requires the client to sign something. This means
the client needs to have the private key along with their certificate. You
can create a PKCS#12 file which includes all this information and import it
into the MS system. You should then see the results you are looking for.
_____________________________________
Greg Stark
Ethentica, Inc.
[EMAIL PROTECTED]
_____________________________________
----- Original Message -----
From: "Scott Fagg" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, February 28, 2001 11:44 PM
Subject: Re: Generating and using client/browser certificates.
>
> I have progressed a little , i am now able to generate certs that IE will
import:
>
> CA.pl -newreq
> openssl ca -in newreq.pem -out result_file -days 30
> openssl crl2pkcs7 -certfile result_file -in crl.pem -out cert.p7b
>
> and then remove the -------BEGIN----- and -------END------ lines.
>
> Unfortunately it does not offer it up for use when a site requires it.
>
> I was suprised not to get a response to my earlier post. Is this list the
appropriate place for this ?
>
>
> >>> "Scott Fagg" <[EMAIL PROTECTED]> 28/2/01 3:28:09 pm >>>
>
> I understand that it is possible to use client side certificates (ie
certificates stored in the browser) to control access to pages and
directories on a webserver. I've been following notes provided with OpenSSL
for generating ssl certificates suitable for importing into a browser. For
example, i've been doing the following:
>
> CA.pl -newreq
> CA.pl -signreq
> CA.pl -pkcs12 "My Cert"
>
> This generates a file that Netscape 4.7x happily imports but that IE 5.x
doesn't like. It allows me to go thru the import process, but complains at
the last step. It identifies the file's content as being PFX, but fails at
the last step with : The input information is invalid.
>
> If i configure apache to require the presence of client side certificates
for a subdirectory, when i browse that subdirectory with Netscape, it asks
me which certificate i wish to use, and i select the one i generated
earlier. I am then allowed to view the page, HOWEVER, i get asked this
question for every page impression even if the are all coming from the same
subdirectory.
>
> So:
>
> - how do i get IE to accept certs i genereate OR how do i generate certs
for IE ?
> and
> - how do i stop NS from prompting the user for every URL.
>
> I am currently using a CA certificate I generated myself, but i have
managed to convince IE and NS to trust this CA by importing new info into
their list of trusted CAs.
>
> I'm using :
>
> OpenSSL 0.9.5a 1 Apr 2000
> Apache/1.3.12 (Unix) PHP/4.0.3pl1 mod_ssl/2.6.4 OpenSSL/0.9.5a
mod_perl/1.24
> Netscape 4.7x
> IE 5.5
>
> This is my first post here, and i'm guessing this has probably been
covered before. Are there notes somewhere that cover this? I have been using
the notes that come with mod_ssl and openssl.
>
> regards,
>
>
>
>
> Scott Fagg <[EMAIL PROTECTED]>
> Ove Arup & Partners
> (07) 3839 1166
>
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
