On Wed, Jan 25, 2006, [EMAIL PROTECTED] wrote: > I have created a chain of certificates as follows: > A Self signed CA certificate > A server certificate > > A client certificate: > openssl genrsa -des3 -out client.key 4096 > > Client sign request: > openssl req -new -key client.key -out client.csr > > I signed the CSR with my CA: > openssl x509 -req -days 365 -in client.csr -CA STCCA.crt -CAkey STCCA.key > -set_serial 01 -out client.crt > > I then exported the crt to pcks12: > openssl pkcs12 -export -in client.crt -out client.p12 -inkey client.key > -name "Subversion" > > I can import and use this certificate successfully using IE and Opera. > This certificate fails for "unknown reasons" when I import with Firefox > 1.0.7 and 1.5. I tried exporting the CA certificate just for the heck of > it using the same command and this certificate imports correctly. What is > going on? I suspected the certificate was broken until it worked in IE. > Then I suspected the format was wrong until I exported the CA certificate > the same way and it worked. Please bring some sanity to my crazy world.
Use the CA.pl script instead of manualy calling the 'x509' command. Though if you use OpenSSL 0.9.8 use CA.pl from a recent snapshot because there is a bug in the release version. As it stands there are several possible problems. You don't say how you created the CA certificate: it may have invalid or no extensions. The end user certificate above will have no extensions and be a V1 certificate with the above command. You are explicitly setting the serial number to 1. If the root CA certificate also has the serial number 1 or the certificate database has another certificate form the same CA with the serial number 1 you'll get a duplicate serial number conflict. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
