> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dr. > Stephen Henson > Sent: Wednesday, March 16, 2005 5:01 AM > To: openssl-users@openssl.org > Subject: Re: Field CN and the certificates > > On Wed, Mar 16, 2005, Vu Pham wrote: > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Tan Eng Ten > > > Sent: Tuesday, March 15, 2005 11:33 PM > > > To: openssl-users@openssl.org > > > Subject: Re: Field CN and the certificates > > > > > > Back to your original problem -- You said you were > accessing the web > > > server by using IE, was that client machine in the same private > > > network (as the server)? > > > > > > Have you tested accessing the web server from another > client machine? > > > > > > Maybe you should start looking from the client-end. > > > > Yes, I did this on 1 XP/IE on the same local network, 1 XP/IE from > > outside, > > 1 W2k/IE from outside, one Solaris 10 x86/Netscape on VPN network. > > > > All the IEs show the same error. Netscape on Solaris even > shows "You > > have attempted to establish a connection with "abc.mydomain.com". > > However the security certificate presented belongs to > "abc.mydomain.com" .... > > > > The thing makes me confused is the two host names that the warning > > displays are the same. > > > > Well firstly you can rule out DNS records. To avoid DNS > spoofing attacks the only thing that is important is the > hostname the browser uses and the server it talks to ultimately. > > You mentioned using a self signed certificate for the server. > This can cause problems. Have you tried it with a root CA and > server certificate instead, as created by CA.pl for example?
Currently I have a self-signed certificate as CA root. I use this CA root to sign the cert B. I import CA root to my PC, and use cert B on the web server. The following commands are what I used : 1. To create CA root # openssl req -x509 -newkey rsa -out cacert.pem -outform PEM with OPENSSL_CONF set to my configuration file 2. To create a cert request # openssl req -newkey rsa:1024 -keyout pdakeypass.pem -keyform PEM -out pdareq.pem -outform PEM 3. To clear the passphrase in cert key # openssl rsa -in pdakeypass.pem -out pdakey.pem 4. To sign cert in step 2. # openssl ca -in pdareq.pem Then I use the two files pdareq.pem and pdakey.pem for my Apache for cert and its key. The cacert.pem in step 1 is imported to my PC. Are those steps correct ? I think I am missing something but do not know what it is. Thanks, Vu ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
