I have got this to work in IE using my own CA and generated server certificates, so we'll use this browser as an example.
I presume you have secure copied the CA.crt over to the client machine. In the Certificates snap-in in MMC (make sure you manage certificates for the Computer Account), Import the CA.crt into the Certificates subsection of the Trusted Root Certification Authorities section. That should work (and has worked correctly for me). Basically you should not be seeing any Certificate Error in the Address Bar in IE. The CA.crt should be the only cert you need to import on the client machine. Hope this helps. On Tue, 05 Jun 2012 18:14:38 +0100 DRings <dbri...@gmail.com> wrote: >I've spent too much time trying to figure out something that is >probably well >know here. > >I have a restricted community application that seems a perfect fit >for using >openssl to self-generate our own CA, and self-sign it, and self- >generate our >own web client authentication certificate and self-sign them. All >this so >that we can validate the Distinguished Name presented when web >browser >connecting to our nginx web server. > >I have done all this many times but have not been able to get >various web >browsers to use the self-generated/self-signed client >authentication certs. > >I have imported both the CA.crt and the client.crt into the OS >certificate >store. But after that the web browser does not seem to use the >cert for >authentication. > >I've tried to set the properties on the imported certificate to be >used for >"web client authentication". - it just does not work! > >I just cannot keep spending time on this problem. If I cannot find >help, I >will urge the the requirement for client certs be dropped from the >project. > >(personal lore) It seems that the web browsers fail because our >self-generated/self-signed CA is not signed by some higher CA that >is >trusted. Is that true or false? > >If it is false, I need help to overcome the failure of the web >browsers to >correctly use our certs. > >Thanks!!!! >David >-- >View this message in context: http://old.nabble.com/self- >generated%2C-self-signed-root-CA-and-Client-Auth-Certs-not-working- >tp33965371p33965371.html >Sent from the OpenSSL - User mailing list archive at Nabble.com. >___________________________________________________________________ >___ >OpenSSL Project >http://www.openssl.org >User Support Mailing List openssl- >us...@openssl.org >Automated List Manager >majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
