Hello!
Thanks for the tips on how to make MSIE accept self-signed client certs.
However, I must confess that some of the tips are above my level of
understanding...
I include the details of our present situation, and the tips that I've
been given,
with the hope of help to a greater understanding...
First of all, the problem:
In connecting to a server which requires client-certs, Explorer gives me
an empty list of certs to choose from (not
a particularily unusual situation, as far as I've understood). In the
server's error log it says - SSL-accept failed.
Second, the server-environment:
I learned only today from the man in charge, that we haven't installed
mod-ssl, only apache-ssl is installed.
What could be the consequences of this - should we install it, in order
to solve the problem? (perhaps a
stupid question to ask in a mod-ssl forum...)
Anyway, the versions are:
Apache 1.2.6
Apache-SSL 1.2.5
SSLeay 0.8.1
Server certificate from Thawte
(will this work - client cert and server cert signed by different CA's?)
Then, a little background:
Netscape has worked like a charm ever from the beginning. We use
CGI-programs written in C,
that at the 'certificate-level' so to say, run the different scripts
like CA.sh etc.
For MSIE we have downloaded Clifford Heaths solution, written in shell
script (unsure of the spelling there).
We set up our own CA, and used it to generate client certificates. After
a while I learned that MSIE needs to download
the Root-CA, in der-format, so I converted the cacert.pem using SSLeays
scripts. Then I loaded it into MSIE, simply through
surfing to the server, and specifying 'cacert.der' in the URL. Before
that we added the 'der'-type to Apaches MIME-types.
And, astonishingly, it worked! MSIE accepted the root-CA, I connected to
the server, the list shown wasn't empty and the client cert
was accepted.
Sadly I didn't stop there. Since MSIE 3.02 refused to cooperate, I
learned that a likely reason was beacause we skipped a
field in creating the CA. So we simply deleted the CA, and created a new
one. Since then, neither of the MSIE-versions work!!
This despite my retracing the same steps (der-conversion etc).
So, was it just a coincidence that it at all worked, since I missed some
other things, or have I forgotten something more that
must be done with the server. This brings me to the tips:
Manuel J. Galan wrote:
>1- (server) self made(signed) CA certificate (appended
> to the list of CA's extracted from Netscape, file
> /etc/httpd/conf/ssl.crt/ca-bundle.crt)
> This point seems ESSENTIAL! You have to enable the option and append
your own file
> (you can use 'x509 -in my_ca.der -inform DER -fingerprint -text'
> to the bundle.
To my knowledge, the only thing we did was to point out the cacert.pem
in the 'SSLCACertificateFile'-directive
(/usr/local/ssl/certs/demoCA/cacert.pem). No extraction, no bundle. Is
this incomplete? If so, how to extract from Netscape(Navigator?)
and how to append my CA to the list?
>2- (client) stage 1 self made CA certificate imported into
> MSIE4.01 in 'der' format through cgi-bin script.
Ok, only one question - nowhere have I seen a reference to someone
loading the cert simply by typing the name in the URL. Not that I see
any
harmful consequences, but I've been wrong before 8-).
>
>3- (client) client certificate exported from Netscape in *.p12 format
> and imported into NT4+SP4_128 double clicking the file and going
> through the import certificate wizard. NT4+SP4_128=MicroSoft >
Windows NT4 plus Service Pack 4 (domestic/128 version)
Hmm, this one leaves a blank. First of all, my knowlegde of the
pkcs-format is limited, and then first loading the cert (the MSIE-cert?)
into Netscape, and then exporting it in order to import it into NT - I'm
afraid you lost me on the way there...
>
>4- (server) 'SSLVerifyClient require', 'SSLVerifyDepth 10'
> 'SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt'
> directives.
'SSLVerifyClient=2', 'SSLCACertificateFile' as above. The SSLVerifyDepth
is another confusion. I've read the discussion between Joost and Ralf
among others, concerning this directive. Does it play any vital role in
my situation? Does it really matter whether it's set on 10 or 2? Sure,
it's more logical with a value of 2, since I won't use any external CA,
but could it have anything to do with the problem.
That's about it - sorry for the length of it, but hopefully it gives a
better idea of what's going on...
And again, _any_ help is greatly appreciated!
Thanks,
/Kenneth Pettersson
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
