I've found a solution. It seems to be a problem about crl.
I've created a "crl.crl" file, and have installed in XP and 2003 Server (in "MMC Certificates - Local computer", in "Autorités intermédiaires" \ "Liste de révocation de certificats" - I prefer give here the real name in French, and not to translate and give a bad translation). I've installed ".p12" user file in MMC Certificates "Local user" and "Local computer": Perso \ Certificates. I've installed ".p12" CA file in MMC Certificates "Local user" and "Local computer": Autorités de certification racines de confiance \ Certificates. All now works fine. Thanks for all. Best regards. > From: dthomp...@prinpay.com > To: openssl-users@openssl.org > Subject: RE: users auth. in XP for HTTPS > Date: Mon, 29 Aug 2011 21:29:26 -0400 > > > From: owner-openssl-us...@openssl.org On Behalf Of Jean Brico > > Sent: Sunday, 28 August, 2011 09:40 > > > I'va a CA in a Debian host that works fine and use scripts in > openssl > > > I've a 2003 Server with a HTTPS site. It owns its certificate > generated by this CA. > > > When a XP client connect to this site with > "http://www.secure.local";, > > a message show me that I try to connect to a secure site. > > > My problem: I modify the configuration of my server: I want now > clients > > to authenticate them. > > (Small aside: authenticate is not reflexive in English. The clients > authenticate; > or the server authenticates the clients; or the server verifies the > clients.) > > > When a XP client connect to this site with > "http://www.secure.local";, > > a message show me that I have to select a certificate to authenticate me. > > In this windows, no certificate appears. > > > But a certificate for my user had been generated by the CA, and > installed > > in the web browser. This certificate is too in the MMC with all others > > certificates. The certificate is good, with the certificate of the CA. > > If you mean installed using Internet Explorer "Options", that's not really > *in* the browser; it's on the browser menu, but it's actually in Windows. > When you see it in MMC/certmgr, that confirms it's in Windows. And available > > to any program using the Windows store, apparently including your XP client. > > > With a certificate created by Mircosoft CA (with web site > "certsrv"), > > all is fine: the windows show me user certificates. I've only to select > > one to connect to secure web site. > > The CA name (issuer) of the Microsoft-issued certificate is presumably > different. Is the server configured to request/demand a client certificate > using the CA name of the Microsoft CA? Of your Debian CA? Both? Neither? > > If you can't determine this by looking at the server: > > - with OpenSSL commandline on any machine that can reach the server > 'openssl s_client -connect server:port -state -debug' and look at > the server's CertificateRequest message to see what it's asking for; > the format is in RFC 2246 or 4346 but the CertReq message consists > almost entirely of a sequence of DNs which are mostly readable. > > - install WireShark (www.wireshark.org) on the Windows client machine > and use it to monitor a connection attempt. It will decode the CertReq > (and other messages) for you. > > > I've compared the two certificates, and i've only found a > difference: > > in Microsoft user certificate, I've: > > "use of the key: cypher of data (f0)" (translated from french). > > In my certificate generated with openssl, I don't have this line. > > > Here is a part of the file used to generate user certificate: > > keyUsage = digitalSignature, nonRepudiation, > keyEncipherment > > > I don't see anything like "cypher of data". What to write to add > this ? > > Is my problem going from tis point ? > > That sounds like the keyUsage bit dataEncipherment, and OpenSSL CA can > set it. But SSL never *does* dataEncipherment using a certificate/key, > so this bit should not be needed or make any difference. > > I think the problem is more likely 'requested client CA-name(s)'. > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org
