I have read all the documentation I can get my hands on, including Ralf's
from the mod_ssl web-site, the ssleay FAQ, Rudolph Pienaar's paper, and
Fred Hirsch's paper.
Using the scripts in Fred's paper,
http://www.camb.opengroup.org/RI/www/prism/wwwj/index.html , I am trying to
load a client certificate into a netscape browser.
I have the following setup:
1. /usr/local/ssl is the ssl root, holding the bin,lib, paths.
2. ssleay.cnf is in usr/local/ssl/lib
3. ./demoCA is in same
4. I have tried with my ssleay cnf configured to use bruceCA as the
replacement for demoCA.
5. /usr/local/ssl/bin is in my path.
I have used the following sequence of commands:
CA.sh -newca
CA.sh -newreq
CA.sh -sign
to create a new certification tree so that the client certificates I would
create are created by my own CA.
I have checked all file protections and ownerships on both the ./demoCA and
./bruceCA trees to that they are readable by the webserver running as user
httpd.
I receive the following error from Fred's ns-cert.pl script:
Certificate request failed
/usr/local/ssl/bin/ca -config /usr/local/ssl/lib/ssleay.cnf -spkac
/data/web/public/server/certs/cert37.req -out
/data/web/public/server/certs/cert37.result -days 360
rc = 256
Using configuration from /usr/local/ssl/lib/ssleay.cnf
unable to load CA private key
15468:error:06065064:digital envelope routines:EVP_DecryptFinal:bad
decrypt:evp_enc.c:275:
15468:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:403:
commonName
Client Certificate
emailAddress
[EMAIL PROTECTED]
organizationName
Comport
organizationalUnitName
HQ
localityName
Ramsey
stateOrProvinceName
NJ
countryName
US
SPKAC
MIHFMHEwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAtL+pTWvR1HuqbGa7yfOsd//f
g8X5AMT3Lo+CO2VHyqONr5ht43IaIG3N5LMqJII7LZXrO0Wv3WxljDh1Xuc78QID
AQABFhFjaGFsbGVuZ2VQYXNzd29yZDANBgkqhkiG9w0BAQQFAANBAC1l2mfNrU1n
dMCZZIvb5MZxXz9ZFJ9YqvWGt2MdYQ+FZ1RS8z164HtHr00PuY/0Matdb8TJd2pu
wn2vHdqilfI=
SUBMIT
Submit Query
As you can see I have tried this 37 times!
I am clearly confused as this point about what steps to take to generate a
CA that can then be used to create client certificates.
One last note, I am using apache with mod_ssl and a certificate generated
by me to run an ecrypted server.
Any help will be be appreciated, especially that which assumes I know nothing!
Greetings of the season to all
Regards,
Bruce
+--------------------------------------+
Bruce B. Platt, Ph.D.
Comport Consulting Corporation
78 Orchard Street, Ramsey, NJ 07446
Phone: 201-236-0505 Fax: 201-236-1335
[EMAIL PROTECTED], bruce@ bruce.platt@
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]