In client auth, the server sends a list of acceptable certificate
authorities to the client. Evidently, your IIS4 configuration is only
sending the one that corresponds to the certificate server on your NT box.
Your browser is dutifully only displaying certificates that have been signed
by one of the server-specified CA's.
_____________________________________
Greg Stark
Ethentica, Inc.
[EMAIL PROTECTED]
_____________________________________
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, March 21, 2001 11:35 AM
Subject: how to generate a client certificate for IIS4.0
>
>
> I need to connect to a IIS4.0 on a NT4.0 server requiring a client
certificate,
> but i cannot
> generate a suitable client certificate using openssl.
>
> When i connect to the site the browser shows me a list with all the
certificates
> i have
> to select one. But the only one that works is the one generated with the
> certificate server
> that comes with NT.
>
> I realized that the certificate that worked had added some SSLv3
extensions
> so i worked it out to have most of them on my certificate but it still
doesn't
> work.
>
> this is the certificate that works:
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 283 (0x11b)
> Signature Algorithm: md5WithRSAEncryption
> Issuer: ST=Region Metropolitana, L=Santiago, CN=E-CERTCHILE,
O=Empresa
> Nacional de Certificacion Electronica, C=CL
> Validity
> Not Before: Dec 27 21:29:42 2000 GMT
> Not After : Dec 27 00:00:00 2001 GMT
> Subject: ST=Regi\xF3n Metropolitana, S=9220707-0, OU=Gerencia
> Ingenier\xEDa, O=STI, [EMAIL PROTECTED], CN=Alfonso C\xE1diz,
C=CL
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:cd:c3:2e:1f:ba:55:71:f2:ef:5b:c8:e0:28:85:
> 58:e7:9c:a8:85:da:7f:bd:41:61:2c:41:21:94:25:
> cc:00:62:99:f4:fe:79:51:69:94:eb:68:67:32:fe:
> 3e:14:81:14:ee:22:9e:9e:67:38:23:fa:c7:ec:79:
> e5:b4:fe:f2:96:a0:3a:a1:94:d6:cf:38:c2:5f:72:
> cc:44:69:d1:aa:da:6c:d6:c2:8c:62:63:3e:fe:00:
> ba:91:03:df:b4:c4:01:35:86:bf:3b:cd:27:b5:26:
> 65:75:66:54:18:64:8b:34:ca:90:33:23:d6:d2:64:
> a1:5f:f9:60:c6:1c:13:bd:07
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Key Usage:
> Digital Signature
> X509v3 Subject Key Identifier:
>
58:8B:44:AC:A6:CD:E9:70:8F:60:15:CF:2B:41:C3:B1:AD:98:94:88
> X509v3 Issuer Alternative Name:
> ..http://www.ecertchile.cl
> X509v3 Extended Key Usage:
> TLS Web Client Authentication
> Signature Algorithm: md5WithRSAEncryption
> 5f:7f:58:00:f9:2c:62:6b:8f:6e:5f:8f:6e:8d:82:ba:fd:16:
> a1:ca:8e:c5:15:e9:69:c9:0a:6c:9b:26:1b:5c:7c:2c:77:8b:
> 57:28:79:80:04:d8:42:5a:49:be:38:43:15:98:d3:b4:1e:90:
> 1d:ea:87:e3:e2:30:31:76:e8:02:e9:f3:4d:b6:21:0e:b4:1a:
> 0c:11:14:5a:55:89:57:9c:fb:28:6e:18:3b:2f:0b:90:9d:bd:
> d8:bd:35:c0:c2:39:5b:5b:40:16:e8:1b:b2:21:27:ce:f8:97:
> 0c:08:3c:14:2a:2c:a0:af:5b:84:56:61:b8:1b:72:c4:51:0b:
> 43:5c
> -----BEGIN CERTIFICATE-----
> MIIDHTCCAoigAwIBAgICARswCwYJKoZIhvcNAQEEMIGNMR0wGwYDVQQIFBRSZWdp
> b24gTWV0cm9wb2xpdGFuYTERMA8GA1UEBxQIU2FudGlhZ28xFDASBgNVBAMUC0Ut
> Q0VSVENISUxFMTYwNAYDVQQKFC1FbXByZXNhIE5hY2lvbmFsIGRlIENlcnRpZmlj
> YWNpb24gRWxlY3Ryb25pY2ExCzAJBgNVBAYUAkNMMB4XDTAwMTIyNzIxMjk0MloX
> DTAxMTIyNzAwMDAwMFowgbUxHTAbBgNVBAgUFFJlZ2nzbiBNZXRyb3BvbGl0YW5h
> MRIwEAYDVQQEFAk5MjIwNzA3LTAxHDAaBgNVBAsUE0dlcmVuY2lhIEluZ2VuaWVy
> 7WExDDAKBgNVBAoUA1NUSTERMA8GA1UEBxQIU2FudGlhZ28xHDAaBgkqhkiG9w0B
> CQEWDWFjYWRpekBzdGkuY2wxFjAUBgNVBAMUDUFsZm9uc28gQ+FkaXoxCzAJBgNV
> BAYUAkNMMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNwy4fulVx8u9byOAo
> hVjnnKiF2n+9QWEsQSGUJcwAYpn0/nlRaZTraGcy/j4UgRTuIp6eZzgj+sfseeW0
> /vKWoDqhlNbPOMJfcsxEadGq2mzWwoxiYz7+ALqRA9+0xAE1hr87zSe1JmV1ZlQY
> ZIs0ypAzI9bSZKFf+WDGHBO9BwIDAQABo2YwZDALBgNVHQ8EBAMCB4AwHQYDVR0O
> BBYEFFiLRKymzelwj2AVzytBw7GtmJSIMCEGA1UdEgQaFhhodHRwOi8vd3d3LmVj
> ZXJ0Y2hpbGUuY2wwEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYJKoZIhvcNAQEEA4GB
> AF9/WAD5LGJrj25fj26Ngrr9FqHKjsUV6WnJCmybJhtcfCx3i1coeYAE2EJaSb44
> QxWY07QekB3qh+PiMDF26ALp8022IQ60GgwRFFpViVec+yhuGDsvC5Cdvdi9NcDC
> OVtbQBboG7IhJ874lwwIPBQqLKCvW4RWYbgbcsRRC0Nc
> -----END CERTIFICATE-----
>
> And this is the one that doesn't (openssl generated):
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 9 (0x9)
> Signature Algorithm: md5WithRSAEncryption
> Issuer: C=ES, ST=Madrid, L=Madrid, O=BSCH, OU=Universia,
CN=Autoridad
> Certificadora/Email=email
> Validity
> Not Before: Mar 20 20:06:50 2001 GMT
> Not After : Mar 20 20:06:50 2002 GMT
> Subject: C=ES, ST=galiza, L=corunha, O=SSI, OU=enxenheria,
> [EMAIL PROTECTED]
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:af:34:86:c7:fa:99:79:bd:0f:1c:d7:a0:59:ef:
> ef:69:fc:d7:ff:cc:ed:71:13:d9:74:bb:b6:d0:c1:
> 69:f9:d9:53:e0:b7:6c:6b:b9:97:cc:1f:28:27:53:
> ee:60:44:bc:0f:93:dd:77:64:06:d4:77:67:a8:a9:
> bd:86:c5:5c:c2:1a:fe:05:27:73:84:ad:98:36:fd:
> a8:b9:e2:d1:17:56:17:59:d6:9f:fd:2f:5e:b6:7f:
> 66:30:6a:cc:e4:b6:3d:1a:df:ef:2e:98:9b:1f:12:
> d1:a7:b9:6a:67:bb:2d:4f:d5:17:40:8f:50:51:83:
> 75:f4:a9:ed:f3:35:c6:c4:95
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> X509v3 Key Usage:
> Digital Signature, Non Repudiation, Key Encipherment
> X509v3 Subject Key Identifier:
>
30:40:55:FF:9A:23:5D:E7:EE:F1:87:8B:09:7C:64:BA:02:58:EF:A0
> X509v3 Authority Key Identifier:
>
> DirName:/C=ES/ST=Madrid/L=Madrid/O=BSCH/OU=Universia/CN=Autoridad
> Certificadora/Email=email
> serial:00
>
> X509v3 Extended Key Usage:
> TLS Web Client Authentication
> Signature Algorithm: md5WithRSAEncryption
> 4f:08:63:db:0c:69:ca:08:73:53:f3:0b:7f:0d:46:a8:bb:2b:
> e7:3b:ef:1b:2d:15:e9:91:37:de:69:b0:3b:c4:97:58:ef:25:
> 1e:ff:49:20:99:7f:71:ac:df:47:9b:0d:b4:00:72:56:24:b2:
> 46:c7:9a:9d:96:1d:d8:bd:a5:14
> -----BEGIN CERTIFICATE-----
> MIIDQTCCAuugAwIBAgIBCTANBgkqhkiG9w0BAQQFADCBijELMAkGA1UEBhMCRVMx
> DzANBgNVBAgTBk1hZHJpZDEPMA0GA1UEBxMGTWFkcmlkMQ0wCwYDVQQKEwRCU0NI
> MRIwEAYDVQQLEwlVbml2ZXJzaWExIDAeBgNVBAMTF0F1dG9yaWRhZCBDZXJ0aWZp
> Y2Fkb3JhMRQwEgYJKoZIhvcNAQkBFgVlbWFpbDAeFw0wMTAzMjAyMDA2NTBaFw0w
> MjAzMjAyMDA2NTBaMIGMMQswCQYDVQQGEwJFUzEPMA0GA1UECBMGZ2FsaXphMRAw
> DgYDVQQHEwdjb3J1bmhhMQwwCgYDVQQKEwNTU0kxEzARBgNVBAsTCmVueGVuaGVy
> aWExDzANBgNVBAMTBm5hY2hvNDEmMCQGCSqGSIb3DQEJARYXam5vZ3VlaXJhQHNv
> bHV6aW9uYS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK80hsf6mXm9
> DxzXoFnv72n81//M7XET2XS7ttDBafnZU+C3bGu5l8wfKCdT7mBEvA+T3XdkBtR3
> Z6ipvYbFXMIa/gUnc4StmDb9qLni0RdWF1nWn/0vXrZ/ZjBqzOS2PRrf7y6Ymx8S
> 0ae5ame7LU/VF0CPUFGDdfSp7fM1xsSVAgMBAAGjgfMwgfAwCQYDVR0TBAIwADAL
> BgNVHQ8EBAMCBeAwHQYDVR0OBBYEFDBAVf+aI13n7vGHiwl8ZLoCWO+gMIGhBgNV
> HSMEgZkwgZahgZCkgY0wgYoxCzAJBgNVBAYTAkVTMQ8wDQYDVQQIEwZNYWRyaWQx
> DzANBgNVBAcTBk1hZHJpZDENMAsGA1UEChMEQlNDSDESMBAGA1UECxMJVW5pdmVy
> c2lhMSAwHgYDVQQDExdBdXRvcmlkYWQgQ2VydGlmaWNhZG9yYTEUMBIGCSqGSIb3
> DQEJARYFZW1haWyCAQAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQEE
> BQADQQBPCGPbDGnKCHNT8wt/DUaouyvnO+8bLRXpkTfeabA7xJdY7yUe/0kgmX9x
> rN9Hmw20AHJWJLJGx5qdlh3YvaUU
> -----END CERTIFICATE-----
>
> If you need to make some tests on the private keys let me know which ones.
>
>
> Thankx
>
> Nacho
>
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
