On 6/5/2012 10:14 AM, DRings wrote: > > I've spent too much time trying to figure out something that is probably well > know here. > > I have a restricted community application that seems a perfect fit for using > openssl to self-generate our own CA, and self-sign it, and self-generate > oureb bro > own web client authentication certificate and self-sign them. All this so > that we can validate the Distinguished Name presented when web browser > connecting to our nginx web server. > > I have done all this many times but have not been able to get various web > browsers to use the self-generated/self-signed client authentication certs. > > I have imported both the CA.crt and the client.crt into the OS certificate > store. But after that the web browser does not seem to use the cert for > authentication. > > I've tried to set the properties on the imported certificate to be used for > "web client authentication". - it just does not work! > > I just cannot keep spending time on this problem. If I cannot find help, I > will urge the the requirement for client certs be dropped from the project. > > (personal lore) It seems that the web browsers fail because our > self-generated/self-signed CA is not signed by some higher CA that is > trusted. Is that true or false? > > If it is false, I need help to overcome the failure of the web browsers to > correctly use our certs. > > Thanks!!!! > David
On Linux, web browsers use their own cert stores, usually per-user. Firefox uses a file called cert8.db, which you can find in the user's firefox profile folder, and you have to use a tool called certutil to import certs (or the UI). I don't remember offhand where other browsers store them, but I don't recall any that use the system cert store. Joshua Bowman ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
