See below
On 10/30/05, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
For the sake of completion in this thread, this is what i did ...
openssl crl2pkcs7 -nocrl -certfile user.pem -certfile intermediate.pem -certfile root.pem -outform DER -out user.p7c
Actually, the root.pem cert needs not be included ... as long as it is in the trusted certs repository it all works fine.
I got this to work in windows (add root.pem as trusted, then double click on user.p7c and it says trusted).
But, will this user.p7c be accepted on the setup of the web server (apache)? i tried using it with s_server ... no luck.
I am a little bit puzzled by all the formats and so ... It is very clear if you just want a 1 level structure (user-certs directly signed by root authority), but the moment you try to go further in the levels ... it is not so easy ... any document where this whole thing is explained clearly?
How
do i make it so the browser sends the user cert + intermediate CA chain
all at once? setting up to web server to use the .p7c file? just
appending the two certs in the same file (PEM or DER?) ... On Sun, Oct 30, 2005, Cesc wrote:
> See below ...
>
>
> Used this way, it gives an OK.
>
So OpenSSL thinks all is fine.
> If you get an error include the -issuer_checks debugging option.
> >
> > Adding this debug option, i thought it may be interesting to show the
> output ... here it is:
> error 29 at 0 depth lookup:subject issuer mismatch
>
That's normal the "OK" is thge important thing.
>
> Any way, does all this have to do with the usercert.pem cert not being
> recognized as valid by browsers? I want to distribute the root.pem cert ...
> then provide to users the cert chain file (first usercert.pem and second in
> file, intermediate.pem cert). Is this correct?
>
Depends on how they are being installed. If its Mozilla you can use various
forms. Probably the easiest is PKCS#7 (use crl2pkcs7) with the user cert
first.
For the sake of completion in this thread, this is what i did ...
openssl crl2pkcs7 -nocrl -certfile user.pem -certfile intermediate.pem -certfile root.pem -outform DER -out user.p7c
Actually, the root.pem cert needs not be included ... as long as it is in the trusted certs repository it all works fine.
I got this to work in windows (add root.pem as trusted, then double click on user.p7c and it says trusted).
But, will this user.p7c be accepted on the setup of the web server (apache)? i tried using it with s_server ... no luck.
I am a little bit puzzled by all the formats and so ... It is very clear if you just want a 1 level structure (user-certs directly signed by root authority), but the moment you try to go further in the levels ... it is not so easy ... any document where this whole thing is explained clearly?
What you need to ensure is that the browser trusts the root CA *and* it sends
the intermediate CA with the chain. If it doesn't send the intermediate CA
you'll get unknown CA errors.
Steve.
Tks again for your answers!
Cesc
