Paul Rubin wrote:
>
> Hi, I'm trying to install a GlobalID into the c2 Stronghold server
> which is pretty similar to modssl (I have to use Stronghold because
> it's for a commercial server in the US). I'm having a lot of trouble
> and found some messages about GlobalID's in the sw-mod-ssl archives
> so I thought I'd ask for advice here. The problem is that the GSID
> is delivered as two separate certificates that need to be chained.
> There is the GSID itself and an intermediate cert that signs it.
> Simply dropping the intermediate cert into the directory pointed
> to by SSLCACertificatesPath doesn't seem to help. The browser acts
> like it's just received a the GSID itself which it treats as a valid
> cert signed by an unknown issuer, so I don't get the 128 bit step-up.
You have to make a link to the intermediate certificate file.
My 'SSLCACertificatesPath' looks as follows:
58546a39.0 -> VeriSign_Trusted_Network.pem
7651b327.0 -> VeriSign_Class_3.pem
The hash value can be calculated with:
openssl x509 -noout -hash -in <certfile>
>
> Connecting with ssleay's s_client shows a 1-deep cert chain: the GSID
> and the intermediate cert. Only one certificate seems to be
> displayed. Connecting to another machine presenting a GSID from
> Netscape Proxy Server gives a 2-deep chain: the GSID, the intermediate
> cert, and the Verisign Class 3 Public Primary CA. Again, it only
> shows one PEM cert, but it's about twice as long as the one that I get
> from Stronghold.
>
> Anyway I'm wondering, has anyone here gotten a real Verisign GlobalID
> (not a non-chained selfsigned one with a patched cert7.db file)
> to work with modssl? What did you do to install the intermediate cert?
> Is there some tool that combines the certs in a chain into one PEM file?
> Has the GSID been observed to work (i.e. to give 128 bit crypto and
> not cause disconnects) in both Netscape and MSIE browsers?
>
> Thanks very much for any advice.
>
> Paul
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/
> Official Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--
-------------------------------------------------------------------------------
Matthias Loepfe, AdNovum Informatik AG, Roentgenstr. 22, CH-8005 Zurich
Email: [EMAIL PROTECTED] Voice: +41 1 272 6111 Fax: +41 1 272 6312
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
