Williams, Jeff wrote: >As >for Netscape, I'm having a problem getting Netscape to import the Root >Authority. > This is a known problem. The only way to import a new root inside Netscape 4.x is to create an HTML page with a link that points to the certificates, and install by clicking on the link on this page. The HTML page can be a file on your hard drive, as well as the certificate. The only important thing is that the MIME type associated inside the registry with the certificate file be the one Netscape expects.
This usually is the case when you give the file the extension is .der. Try .cer too. If that doesn't word, do some search on the mailing list archive to get the exact MIME type needed, and find how to modify the MIME type from file explorer. >Also, is there a way to tell if my certificates that I sign are 128 bit >encrypted? Or is there something I should use with openssl to guarantee a >128 bit certificate? Thanks for the help! > What is called 128-bit certificates is a certificates with some special extension, and that is signed by an authority that the client browser will recognised as allowed to emit 128-bit certificate. When seing both of these together, the client webbrowser (IE below version 5.5 or Netscape Navigator 4.x) will switch to 128-bit cryptography, even if it's an export version that would usually be restricted to 56 bit. Your home-made CA is not recognised as such a trusted CA. If the application is intranet, you could search and find how to individually get each client webbrowser on the intranet to trust you CA to emit 128-bit certificate, but it won't be of any use in the general world. Even for an intranet, simply updating all the clients to a non-cryptographically restricted version would be _a lot_ easier. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
