On 06/05/2012 07:14 PM, DRings wrote:
I've spent too much time trying to figure out something that is probably well
know here.
I have a restricted community application that seems a perfect fit for using
openssl to self-generate our own CA, and self-sign it, and self-generate our
own web client authentication certificate and self-sign them. All this so
that we can validate the Distinguished Name presented when web browser
connecting to our nginx web server.
I assume you mean 'sign it by your CA'
I have done all this many times but have not been able to get various web
browsers to use the self-generated/self-signed client authentication certs.
I have imported both the CA.crt and the client.crt into the OS certificate
store. But after that the web browser does not seem to use the cert for
authentication.
I've tried to set the properties on the imported certificate to be used for
"web client authentication". - it just does not work!
Youalso need to configure your server to ask for client certificates of your
CA.
I just cannot keep spending time on this problem. If I cannot find help, I
will urge the the requirement for client certs be dropped from the project.
(personal lore) It seems that the web browsers fail because our
self-generated/self-signed CA is not signed by some higher CA that is
trusted. Is that true or false?
They don't fail, they warn that your ca that has signed
your server certificate is not installed by default as a trusted ca.
If it is false, I need help to overcome the failure of the web browsers to
correctly use our certs.
Thanks!!!!
David
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
