Hi, I'm trying to self-sign SSL certificates for corporate web servers. It seems to work fine except for installing the the CA certificate into the client's "trusted root certificate store".
The idea is to do something similar to CAcert.org's root certificate (http://www.cacert.org/index.php?id=3). This way, if client browsers download and install just once my custom CA root certificate, they should "trust" all of my corporate web server certificates. So I published MY-CA/cacert.der as shown below. However, if a client installs it (most I've tested are Windows XP) it won't trust the web server certificates signed by it. I'm obviously missing something. How can I find out what I did wrong? [on CA server] Create CA: # /etc/ssl/misc/CA-HTTP.sh -newca (CA-HTTP.sh is the standard openssl script with custom CATOP path variable) convert to DER # openssl x509 -in MY-CA-HTTP/cacert.pem -outform DER -out MY-CA-HTTP/cacert.der copy it over to a public web server so client browsers can download the DER link and install it to "trusted root certificates" (mime type application/x-x509-ca-cert) [on web server] IIS certificate request: certreq.txt [on CA server] SIGN: # openssl ca -config ./openssl-webservers.cnf -policy policy_anything -out MY-CA-HTTP/certs/webserver_webserver1_cert.pem -infiles certreq.txt to x509 # openssl x509 -in MY-CA-HTTP/certs/webserver_webserver1_cert.pem -out MY-CA-HTTP/certs/webserver_webserver1_cert.cer [on web server] import webserver_webserver1_cert.cer to IIS Thanks, Vieri ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
