It's actually not only that it is self-signed. The extension:
X509v3 Basic Constraints:
CA:TRUEShould not be TRUE, it should be FALSE. Only CAs have this set as TRUE (just as it says). Apache obviously does not like this either since this occurs in the log:
-----
[Mon Dec 08 15:36:14 2003] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?)
-----
I would generate a new certificate with BasicConstraints=FALSE.
Cheers, Tomas
Mark Foster wrote:
On Tue, Dec 09, 2003 at 03:53:54PM -0700, Leon wrote:
Apparently the problem is obscure enough that It's been suggested that thes erver certificate be posted. Since I will be recreating tit afterwards anyway, that isn't a problem.
[EMAIL PROTECTED] ssl.crt]# openssl x509 -noout -text -in server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=New Mexico, L=Los Alamos, O=Innovative Web Applications, CN=rt.iwapps.com/[EMAIL PROTECTED]
Validity
Not Before: Dec 5 21:19:38 2003 GMT
Not After : Dec 4 21:19:38 2004 GMT
Subject: C=US, ST=New Mexico, L=Los Alamos, O=Innovative Web Applications, CN=rt.iwapps.com/[EMAIL PROTECTED]
So it's self-signed. That shouldn't matter. What matters is what your apache directives are set to. I recommend... SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/server.key # These others should probably be commented out #SSLCertificateChainFile (unset) #SSLCACertificatePath (unset) #SSLCACertificateFile (unset)
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
