> Error validating server certificate for 'https://acer9100:443': > - The certificate is not issued by a trusted authority. Use the > fingerprint to validate the certificate manually! > Certificate information: > - Hostname: acer9100 > - Valid: from Mar 9 14:29:17 2007 GMT until Mar 8 14:29:17 2010 GMT > - Issuer: Costacurta.org, Brussels, Brussels Region, BE > ... > Assuming, strictly technically speaking and in the way they're > created, that > thrusted and local CA are identical, I suppose something has to aligned > between CA and client certificate to avoid this message 'The > certificate is > not issued by a trusted authority'.
No, nothing has to be "aligned". As the error message says, the problem is that the certificate "is not issued by a trusted authority". > Am I correct in this assumption ? > If yes, what (fields and/or policy ?) needs to be aligned or setup ? The certificate needs to have been issued by an authority the client trusts. It does the client no good if someone the client does not trust vouches for the authority of the server. > Note: If I used my CAcert certificate client (obtained via > www.CAcert.org) I > receive same complain but regarding an invalid hostname which is correct as > my certificate client reflects my domain costacurta and not my hostname > acer9100 as defined for Apache. > ... > - The certificate hostname does not match. > I make about this message the assumption the problem is linked with the > configuration and creation of the client certificate, not in the thrusted or > not status of the CA. This is a different problem. If the client wants to connect to "costacurta" and the certificate is for "acer9100", the client concludes that the server has *not* proven its identity. If I point my browser to "www.amazon.com" and the server proves its identity to be "www.scammers.com", I *don't* want to be sending them my credit card. The CA vouches for the identity of the server. If the CA is trusted by the client, and the identity the CA vouched for is the thing the client wanted to talk to, then we have established some security. Otherwise, we have no accomplished anything. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
