Adding CA cert to firefox results in 'SSL alert number 42: bad certificate' from httpd?

Fri, 03 Nov 2006 11:24:07 -0800 

Hi,

I am trying to add a self signed root certificate to Firefox (1.5.0.7)
that was generated with openssl and is connecting to an openssl 0.9.7e
based httpd (acme mini_httpd). The certificate was created with
openssl 0.9.8a.

I can connect to the httpd just fine with firefox, but when I add the
root certificate to firefox's certificate authority store and connect
to the web server I get: "Could not establish an encrypted connection
because certificate presented by <host> is invalid or corrupted. Error
Code: -8182". Firefox seems to think that the root certificate is
valid and 'openssl verify' says that the httpd cert is valid (using
the root cert).

The httpd reports:
331:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
certificate:s3_pkt.c:1052:SSL alert number 42

wireshark shows the same error:
TLSv1 Alert (level: fatal, description: bad certificate)

So I haven't got the slightest idea what is bad about the certificate.
I'm creating the certs using fairly standard steps, based on the CA.pl
script.

The root certificate is a self signed 2048 bit DSA cert:
  openssl dsaparam -genkey -out $caDsaFile 2048
  openssl req -config $conf -batch -nodes -new  -subj "$subj" \
      -days $days -newkey dsa:$caDsaFile \
      -keyout $caKeyFile -out $caReqFile -outform PEM
  openssl ca -config $conf -batch -notext -selfsign -days $days \
      -extensions v3_ca -out $caCertFile -keyfile $caKeyFile -in $caReqFile

The httpd cert is a 2048 bit RSA cert signed by the root cert above:
  openssl req -config $conf -batch -nodes -subj "$subj" -days $days \
      -newkey rsa:2048 -keyout $keyFile -keyform PEM \
      -out $reqFile -outform PEM \
  openssl ca -config $conf -batch -notext -days $days \
      -keyfile $caKeyFile -cert $caCertFile \
      -in $reqFile -out $certFile \

Any ideas what could be the problem here? The 2048 bit DSA key is a
bit large, but this is for an embedded product that should have a
fairly long lifespan, so I figured a few extra bits can't hurt.

                              Thanks,
                              Clem
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to