On Friday 09 March 2007 10:12:49 Bruno Costacurta wrote: > Hello to everyone, > > I created a client certificate with my own local CA to configure an Apache > + https but receive the following (ie. when working with subversion using > https): > > ... > Error validating server certificate for 'https://acer9100:443': > - The certificate is not issued by a trusted authority. Use the > fingerprint to validate the certificate manually! > Certificate information: > - Hostname: acer9100 > - Valid: from Mar 9 14:29:17 2007 GMT until Mar 8 14:29:17 2010 GMT > - Issuer: Costacurta.org, Brussels, Brussels Region, BE > ... > Assuming, strictly technically speaking and in the way they're created, > that thrusted and local CA are identical, I suppose something has to > aligned between CA and client certificate to avoid this message 'The > certificate is not issued by a trusted authority'. > > Am I correct in this assumption ? > If yes, what (fields and/or policy ?) needs to be aligned or setup ? > Not really, what you need to do is ensure that the CA certificate used is in the Trusted CA Certificate store on the client.
If you add your own CA to the clients trusted certificate store, this message will go away. > Note: If I used my CAcert certificate client (obtained via www.CAcert.org) > I receive same complain but regarding an invalid hostname which is correct > as my certificate client reflects my domain costacurta and not my hostname > acer9100 as defined for Apache. > ... > - The certificate hostname does not match. > Certificate information: > - Hostname: Bruno Costacurta > - Valid: from Mar 5 13:21:49 2007 GMT until Mar 4 13:21:49 2009 GMT > - Issuer: http://www.cacert.org, Root CA > ... > I make about this message the assumption the problem is linked with the > configuration and creation of the client certificate, not in the thrusted > or not status of the CA. > THis is correct - you must have (for most modern browsers) a match between the Common Name element in the Subject Field of the certificate, and the FQDN used to access the site... for instance, if the Subject field ends in the following: CN=www.example.com and you have the web server host with the following configuration: IP Address: 192.168.1.1 Local Host Name: foobar Fully Qualified DNS Entry: www.example.com You will get the "certificate hostname does not match", if you access the web server with http://192.168.1.1 or http://foobar but not http://www.example.com Hope that is clear. --- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
