Oeps there we do have some kind of a problem the response to: openssl s_client -connect www.bliek.org:443 -prexit
Looks like: CONNECTED(00000003) depth=0 /C=UK/ST=MyTown/L=Mylocation/O=mydomain.com/OU=Security/CN=www.mydomain.com/[EMAIL PROTECTED] verify error:num=18:self signed certificate verify return:1 depth=0 /C=UK/ST=MyTown/L=Mylocation/O=mydomain.com/OU=Security/CN=www.mydomain.com/[EMAIL PROTECTED] verify return:1 9493:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1052:SSL alert number 40 9493:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226: ........... depth=0 /C=UK/ST=MyTown/L=Mylocation/O=mydomain.com/OU=Security/CN=www.mydomain.com/[EMAIL PROTECTED] ........... So alright something does go wrong but its yet still unclear to me why. This is how I created the key that resulted in these errors: Create direcroties mkdir /opt/ssl/Server mkdir /opt/ssl/CA mkdir /opt/ssl/Client Create server keys cd /opt/ssl/server openssl req -new > server.cert.csr openssl rsa -in privkey.pem -out server.cert.key openssl x509 -in server.cert.csr -out server.cert.cert -req -signkey server.cert.key -days 365 note: I use CN = www.mydomain.com for all keys Create CA keys cd /opt/ssl/CA openssl req -new > CA.cert.csr openssl rsa -in privkey.pem -out cA.cert.key openssl x509 -in CA.cert.csr -out CA.cert.cert -req -signkey CA.cert.key -days 365 Create Client keys cd /opt/ssl/client openssl req -new > client.cert.csr openssl rsa -in privkey.pem -out client.cert.key openssl x509 -in client.cert.csr -out client.cert.cert -req -signkey client.cert.key -days 365 Sign the client request with the CA.cert.key openssl x509 -req -in client.cert.csr -out client.cert.cert -signkey ../CA/CA.cert.key -CA \ ../CA/CA.cert.cert -CAkey ../CA/CA.cert.key -CAcreateserial -days365 Export cert/keys to server cp /opt/ssl/server/server.cert.cert /etc/apache/conf/ssl/. cp /opt/ssl/server/server.cert.key /etc/apache/conf/ssl/. cp /opt/ssl/CA/CA.cert.cert /etc/apache/conf/ssl/. Edit apache configuration nano -w /etc/apache2/conf/modules.d/41_mod_ssl.default-vhost.conf SSLCertificateFile /path/to/certs/server.cert.cert SSLCertificateKeyFile /path/to/certs/server.cert.key SSLCACertificateFile /path/to/certs/CA.cert.cert SSLVerifyClient require Restart apache server /etc/init.d/apache2 restart note: I do have several vhosts on my machine Export cert to client cp /opt/ssl/client/client.cert/cert -> client machine Import key into browser: start mozilla -> edit -> preferences -> privacy & security -> certificates -> manage certificates -> authorities -> import browse to my www.mydomain.org (not to any of the others vhosts) --- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote: > On Tue, Feb 24, 2004, Bo Boe wrote: > > > My mozilla browser (version 1.6) returns the > error. > > When I install the client certificate in iexplorer > > (version 6.0) I get a pop-up window asking me to > > select a client certificate from an empty list. > > > > By the way I just tried to make the certificates > as > > explained in the ssl cookbook on > > http://www.pseudonym.org/ssl/ssl_apache.html > > It results in the same error. > > > > I created all the certificates on an gentoo server > > which is fully up to date. This machine is also > used > > as the apache2 server and openssl 0.9.7c. > > > > http://www.openssl.org/support/faq.html#USER10 > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: > see homepage > OpenSSL project core developer and freelance > consultant. > Funding needed! Details on homepage. > Homepage: http://www.drh-consultancy.demon.co.uk > ______________________________________________________________________ > OpenSSL Project > http://www.openssl.org > User Support Mailing List > [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
