I went had generated a csr from ca.key, sent it to UM System, had them sign it, brough it back, put it in certificate-chain-file on a httpd server, and also used ca.key and the new cert to sign a csr for that web server. (I figured generating new certificates for the servers isn't that big a deal in our case.)
After I installed the UM-System root CA in my IE client, it works happy as can be, automatically does the certificate chain and validates successfully back to the root. However, on Netscape and openssl s_client, it does not work. It says something about Invalid CA. Here's the exact error: infinity(58)>openssl s_client -CApath /umr/s/openssl/common/certs -connect falcon.cc.umr.edu:443 CONNECTED(00000003) depth=1 [EMAIL PROTECTED]/C=US/ST=Missouri/L=Rolla/O=University of Missouri - Rolla/OU=Computing and Information Services/CN=UMR Certificate Authority verify error:num=24:invalid CA certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=Missouri/L=Rolla/O=University of Missouri - Rolla/OU=Computing and Information [EMAIL PROTECTED] i:[EMAIL PROTECTED]/C=US/ST=Missouri/L=Rolla/O=University of Missouri - Rolla/OU=Computing and Information Services/CN=UMR Certificate Authority 1 s:[EMAIL PROTECTED]/C=US/ST=Missouri/L=Rolla/O=University of Missouri - Rolla/OU=Computing and Information Services/CN=UMR Certificate Authority i:[EMAIL PROTECTED]/C=US/ST=Missouri/L=Columbia/O=University of Missouri/OU=Information Technology/CN=University of Missouri Root Authority --- If I try to do 'openssl x509 -in um-root.pem -text', or on the new umr-cert.pem, it segfaults right as it's about to print out CRL locations. (I'm running 0.9.6a in case it matters.) Now, on netscape/mozilla, if I go ahead and install the new UMR CA-Cert (what's in the chain) it works just fine, but the automatic validation along the chain is not working. Any ideas? -- Nathan > On 10/02/01 09:20 AM, Nathan Neulinger sat at the `puter and typed: > > Here's my current situation - I have a UMR CA set up, > self-signed, that > > we use to sign certs for local web servers. The CA Cert for > this local > > CA is installed on all local workstations. > > > The parent organization UM-System, now is setting up a > UM-System CA. > > > What I would like to do is, have the CA's chained - sign > the UMR CA with > > the UM System key, and then install the UM System CA into > any new clients. > > > What exactly do I need to do for this? > > Not sure how this would work if you already have the self signed cert > for UMR, but there is an option to sign a self signed cert - see the > -ss_cert switch with the ca command at > http://www.openssl.org/docs/apps/ca.html > > Keep in mind that this may cause some issues with certs that are > already out there and signed by the UMR cert *prior* to signing the > UMR cert with the UMS cert. You may want to revoke and reissue all > certs - not too difficult if you save the .csr files, but can also be > done if you just put them in a directory and whip up a script that > will extract the csr from the certs (opensl x509 is the command IIRC). > > > Is it sufficient to take the umrca.key, generate a CSR from > it, and send > > that to UM System for them to sign enabled for CA use? Once that is > > done, should I install the UM-System ca cert in the > clients, and use > > CertificateChainFile or similar to provide the CA-Cert they > just signed > > for us? > > See above. Someone else who has already been thru this may have more > detailed suggestions. I don't know for sure if the existing certs > will validate correctly with changes in the chain. > > I do know, however, that if the pathlen basicConstraint is set to 0, > which is the default on self signed certs with the distributed > openssl.cnf file, that you cannot create a chain. You must remove the > pathlen definition from the v3_ca section. > > HTH > Lou > -- > Louis LeBlanc [EMAIL PROTECTED] > Fully Funded Hobbyist, KeySlapper Extrordinaire :) > http://acadia.ne.mediaone.net ԿԬ > > Adore, v.: > To venerate expectantly. > -- Ambrose Bierce, "The Devil's Dictionary" > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > > > > > ------------------------------------------------------------ > Nathan Neulinger EMail: [EMAIL PROTECTED] > University of Missouri - Rolla Phone: (573) 341-4841 > Computing Services Fax: (573) 341-4216 > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
