I would like to thank you for pointing me to the newer version of Open SSL. I
upgraded to 9.5a and was able to get Netscape CMS to issue me an Apache Server
certificate. In addition, I was able to get mutual authentication to work!
Thanks again for responding. I do appreciate it.
Lorrayne
Mads Toftum wrote:
> On Wed, May 03, 2000 at 10:22:30AM -0700, Schaefer,Lorrayne J. wrote:
> > I am working with Apache 1.3.12, Open SSL 0.9.3, and
> > mod_SSL--2.6.3-1.3.12 . All software is installed on Solaris 2.8. I
> > have Netscape CMS 4.1 installed as well. The Netscape CMS is our root
> > CA and would like to have the Netscape CA issue our Apache Web Server
> > and Netscape Communicator certificates.
> >
>
> Hmmm - your openssl version is a bit old - the current is up to 0.9.5a.
> I don't think it'll fix your problem, but there is a few issues about
> the random number generator in pre0.9.5 versions.
> I know close to nothing about the Netscape Certificate server, but I'll
> try to answer this on general knowledge.
>
> > We were able to establish a one-way SSL channel only. The bad news here
> >
> > is that we could only establish this channel with Apache being the
> > issuing authority. We could NOT get this to work with Netscape CA. We
> > received the error message "Missing or malformed KeyGen, PKCS10 or CRMF
> > request." This is the message we received when posting the cert request
> >
> > to our Netscape Root CA.
> >
> You're not making this very clear, but I'm guessing that what you're
> talking about is that you can't get your NS CA server to accept certificate
> requests generated by openssl?
> Did you follow the instructions at
> http://www.modssl.org/docs/2.6/ssl_faq.html#ToC28 ?
> That should generate a well formed certificate request in pkcs10 format.
>
> [SNIP]
>
> > We decided to try to use the bootstrap server cert to see if we could at
> >
> > least do mutual authentication. We loaded the Netscape Root CA cert
> > into
> > Apache's trusted root database. We used tools provided with the server
> > to verify that the root CA cert was properly installed. It was. After
>
> Did you do a make in the /path/to/apache/conf/ssl.crt dir?
>
> > restarting the server in mutual authentication mode, we then attempted
> > to authenticate ourselves to the Web server and received the error
> > messages "certificate signature failure, ASN1_verify:bad get asn1 object
> >
> > call, SSL3_GET
> > _CLIENT_CERTIFICATE:no certificate returned." We know that the server
> > properly queried the browser for a client cert as we configured the
> > browser to prompt us each and every time a cert is required.
> >
> This usually means that the browser did not return a client certificate -
>
> > So, we next added the subordinate CA cert (the issuer of our end entity
> > cert) to the trusted root database. We received the same error
> > messages.
> >
> > Next, we removed the root and subordinate CAs from our trusted root
> > database. As expected, we received the error message indicating that it
> >
> > couldn't locate the issuer in its trusted root database. From this, we
> > definitely know that it can locate the CA in its trusted root database.
> > The problem is that we don't know why it's failing to validate the CA's
> > cert.
> >
> > Any help would be greatly appreciated.
> >
>
> Do take the time to look through the example at:
> http://www.modssl.org/docs/2.6/ssl_howto.html#ToC6 - is your setup any
> different from that?
> http://www.modssl.org/docs/2.6/ssl_faq.html also provides several ways
> to check content of certificates and requests.
> Setting SSLLogLevel to debug might also help you track the problem.
> Also try :
> openssl s_client connect localhost:443 -CAfile ca.crt -showcerts -debug \
> -key client.key -cert client.crt
>
> Where .crt's are in pem format. More info at
> http://www.openssl.org/docs/apps/s_client.html
>
> vh
>
> Mads Toftum
> --
> `Darn it, who spiked my coffee with water?!' - lwall
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
