On Sun, Oct 30, 2005, Cesc wrote: > See below ... > > > Used this way, it gives an OK. >
So OpenSSL thinks all is fine. > If you get an error include the -issuer_checks debugging option. > > > > Adding this debug option, i thought it may be interesting to show the > output ... here it is: > error 29 at 0 depth lookup:subject issuer mismatch > That's normal the "OK" is thge important thing. > > Any way, does all this have to do with the usercert.pem cert not being > recognized as valid by browsers? I want to distribute the root.pem cert ... > then provide to users the cert chain file (first usercert.pem and second in > file, intermediate.pem cert). Is this correct? > Depends on how they are being installed. If its Mozilla you can use various forms. Probably the easiest is PKCS#7 (use crl2pkcs7) with the user cert first. What you need to ensure is that the browser trusts the root CA *and* it sends the intermediate CA with the chain. If it doesn't send the intermediate CA you'll get unknown CA errors. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
