I need to connect to a IIS4.0 on a NT4.0 server requiring a client certificate,
but i cannot
generate a suitable client certificate using openssl.
When i connect to the site the browser shows me a list with all the certificates
i have
to select one. But the only one that works is the one generated with the
certificate server
that comes with NT.
I realized that the certificate that worked had added some SSLv3 extensions
so i worked it out to have most of them on my certificate but it still doesn't
work.
this is the certificate that works:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 283 (0x11b)
Signature Algorithm: md5WithRSAEncryption
Issuer: ST=Region Metropolitana, L=Santiago, CN=E-CERTCHILE, O=Empresa
Nacional de Certificacion Electronica, C=CL
Validity
Not Before: Dec 27 21:29:42 2000 GMT
Not After : Dec 27 00:00:00 2001 GMT
Subject: ST=Regi\xF3n Metropolitana, S=9220707-0, OU=Gerencia
Ingenier\xEDa, O=STI, [EMAIL PROTECTED], CN=Alfonso C\xE1diz, C=CL
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:cd:c3:2e:1f:ba:55:71:f2:ef:5b:c8:e0:28:85:
58:e7:9c:a8:85:da:7f:bd:41:61:2c:41:21:94:25:
cc:00:62:99:f4:fe:79:51:69:94:eb:68:67:32:fe:
3e:14:81:14:ee:22:9e:9e:67:38:23:fa:c7:ec:79:
e5:b4:fe:f2:96:a0:3a:a1:94:d6:cf:38:c2:5f:72:
cc:44:69:d1:aa:da:6c:d6:c2:8c:62:63:3e:fe:00:
ba:91:03:df:b4:c4:01:35:86:bf:3b:cd:27:b5:26:
65:75:66:54:18:64:8b:34:ca:90:33:23:d6:d2:64:
a1:5f:f9:60:c6:1c:13:bd:07
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature
X509v3 Subject Key Identifier:
58:8B:44:AC:A6:CD:E9:70:8F:60:15:CF:2B:41:C3:B1:AD:98:94:88
X509v3 Issuer Alternative Name:
..http://www.ecertchile.cl
X509v3 Extended Key Usage:
TLS Web Client Authentication
Signature Algorithm: md5WithRSAEncryption
5f:7f:58:00:f9:2c:62:6b:8f:6e:5f:8f:6e:8d:82:ba:fd:16:
a1:ca:8e:c5:15:e9:69:c9:0a:6c:9b:26:1b:5c:7c:2c:77:8b:
57:28:79:80:04:d8:42:5a:49:be:38:43:15:98:d3:b4:1e:90:
1d:ea:87:e3:e2:30:31:76:e8:02:e9:f3:4d:b6:21:0e:b4:1a:
0c:11:14:5a:55:89:57:9c:fb:28:6e:18:3b:2f:0b:90:9d:bd:
d8:bd:35:c0:c2:39:5b:5b:40:16:e8:1b:b2:21:27:ce:f8:97:
0c:08:3c:14:2a:2c:a0:af:5b:84:56:61:b8:1b:72:c4:51:0b:
43:5c
-----BEGIN CERTIFICATE-----
MIIDHTCCAoigAwIBAgICARswCwYJKoZIhvcNAQEEMIGNMR0wGwYDVQQIFBRSZWdp
b24gTWV0cm9wb2xpdGFuYTERMA8GA1UEBxQIU2FudGlhZ28xFDASBgNVBAMUC0Ut
Q0VSVENISUxFMTYwNAYDVQQKFC1FbXByZXNhIE5hY2lvbmFsIGRlIENlcnRpZmlj
YWNpb24gRWxlY3Ryb25pY2ExCzAJBgNVBAYUAkNMMB4XDTAwMTIyNzIxMjk0MloX
DTAxMTIyNzAwMDAwMFowgbUxHTAbBgNVBAgUFFJlZ2nzbiBNZXRyb3BvbGl0YW5h
MRIwEAYDVQQEFAk5MjIwNzA3LTAxHDAaBgNVBAsUE0dlcmVuY2lhIEluZ2VuaWVy
7WExDDAKBgNVBAoUA1NUSTERMA8GA1UEBxQIU2FudGlhZ28xHDAaBgkqhkiG9w0B
CQEWDWFjYWRpekBzdGkuY2wxFjAUBgNVBAMUDUFsZm9uc28gQ+FkaXoxCzAJBgNV
BAYUAkNMMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNwy4fulVx8u9byOAo
hVjnnKiF2n+9QWEsQSGUJcwAYpn0/nlRaZTraGcy/j4UgRTuIp6eZzgj+sfseeW0
/vKWoDqhlNbPOMJfcsxEadGq2mzWwoxiYz7+ALqRA9+0xAE1hr87zSe1JmV1ZlQY
ZIs0ypAzI9bSZKFf+WDGHBO9BwIDAQABo2YwZDALBgNVHQ8EBAMCB4AwHQYDVR0O
BBYEFFiLRKymzelwj2AVzytBw7GtmJSIMCEGA1UdEgQaFhhodHRwOi8vd3d3LmVj
ZXJ0Y2hpbGUuY2wwEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYJKoZIhvcNAQEEA4GB
AF9/WAD5LGJrj25fj26Ngrr9FqHKjsUV6WnJCmybJhtcfCx3i1coeYAE2EJaSb44
QxWY07QekB3qh+PiMDF26ALp8022IQ60GgwRFFpViVec+yhuGDsvC5Cdvdi9NcDC
OVtbQBboG7IhJ874lwwIPBQqLKCvW4RWYbgbcsRRC0Nc
-----END CERTIFICATE-----
And this is the one that doesn't (openssl generated):
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 9 (0x9)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=ES, ST=Madrid, L=Madrid, O=BSCH, OU=Universia, CN=Autoridad
Certificadora/Email=email
Validity
Not Before: Mar 20 20:06:50 2001 GMT
Not After : Mar 20 20:06:50 2002 GMT
Subject: C=ES, ST=galiza, L=corunha, O=SSI, OU=enxenheria,
[EMAIL PROTECTED]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:af:34:86:c7:fa:99:79:bd:0f:1c:d7:a0:59:ef:
ef:69:fc:d7:ff:cc:ed:71:13:d9:74:bb:b6:d0:c1:
69:f9:d9:53:e0:b7:6c:6b:b9:97:cc:1f:28:27:53:
ee:60:44:bc:0f:93:dd:77:64:06:d4:77:67:a8:a9:
bd:86:c5:5c:c2:1a:fe:05:27:73:84:ad:98:36:fd:
a8:b9:e2:d1:17:56:17:59:d6:9f:fd:2f:5e:b6:7f:
66:30:6a:cc:e4:b6:3d:1a:df:ef:2e:98:9b:1f:12:
d1:a7:b9:6a:67:bb:2d:4f:d5:17:40:8f:50:51:83:
75:f4:a9:ed:f3:35:c6:c4:95
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Key Identifier:
30:40:55:FF:9A:23:5D:E7:EE:F1:87:8B:09:7C:64:BA:02:58:EF:A0
X509v3 Authority Key Identifier:
DirName:/C=ES/ST=Madrid/L=Madrid/O=BSCH/OU=Universia/CN=Autoridad
Certificadora/Email=email
serial:00
X509v3 Extended Key Usage:
TLS Web Client Authentication
Signature Algorithm: md5WithRSAEncryption
4f:08:63:db:0c:69:ca:08:73:53:f3:0b:7f:0d:46:a8:bb:2b:
e7:3b:ef:1b:2d:15:e9:91:37:de:69:b0:3b:c4:97:58:ef:25:
1e:ff:49:20:99:7f:71:ac:df:47:9b:0d:b4:00:72:56:24:b2:
46:c7:9a:9d:96:1d:d8:bd:a5:14
-----BEGIN CERTIFICATE-----
MIIDQTCCAuugAwIBAgIBCTANBgkqhkiG9w0BAQQFADCBijELMAkGA1UEBhMCRVMx
DzANBgNVBAgTBk1hZHJpZDEPMA0GA1UEBxMGTWFkcmlkMQ0wCwYDVQQKEwRCU0NI
MRIwEAYDVQQLEwlVbml2ZXJzaWExIDAeBgNVBAMTF0F1dG9yaWRhZCBDZXJ0aWZp
Y2Fkb3JhMRQwEgYJKoZIhvcNAQkBFgVlbWFpbDAeFw0wMTAzMjAyMDA2NTBaFw0w
MjAzMjAyMDA2NTBaMIGMMQswCQYDVQQGEwJFUzEPMA0GA1UECBMGZ2FsaXphMRAw
DgYDVQQHEwdjb3J1bmhhMQwwCgYDVQQKEwNTU0kxEzARBgNVBAsTCmVueGVuaGVy
aWExDzANBgNVBAMTBm5hY2hvNDEmMCQGCSqGSIb3DQEJARYXam5vZ3VlaXJhQHNv
bHV6aW9uYS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK80hsf6mXm9
DxzXoFnv72n81//M7XET2XS7ttDBafnZU+C3bGu5l8wfKCdT7mBEvA+T3XdkBtR3
Z6ipvYbFXMIa/gUnc4StmDb9qLni0RdWF1nWn/0vXrZ/ZjBqzOS2PRrf7y6Ymx8S
0ae5ame7LU/VF0CPUFGDdfSp7fM1xsSVAgMBAAGjgfMwgfAwCQYDVR0TBAIwADAL
BgNVHQ8EBAMCBeAwHQYDVR0OBBYEFDBAVf+aI13n7vGHiwl8ZLoCWO+gMIGhBgNV
HSMEgZkwgZahgZCkgY0wgYoxCzAJBgNVBAYTAkVTMQ8wDQYDVQQIEwZNYWRyaWQx
DzANBgNVBAcTBk1hZHJpZDENMAsGA1UEChMEQlNDSDESMBAGA1UECxMJVW5pdmVy
c2lhMSAwHgYDVQQDExdBdXRvcmlkYWQgQ2VydGlmaWNhZG9yYTEUMBIGCSqGSIb3
DQEJARYFZW1haWyCAQAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQEE
BQADQQBPCGPbDGnKCHNT8wt/DUaouyvnO+8bLRXpkTfeabA7xJdY7yUe/0kgmX9x
rN9Hmw20AHJWJLJGx5qdlh3YvaUU
-----END CERTIFICATE-----
If you need to make some tests on the private keys let me know which ones.
Thankx
Nacho
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
