Ah! With the ca-bundle.crt now at least my thawte cert works...
But since I want only OUR CA to be trusted I need just the
ca-dff.crt instead of the ca-bundle.crt.
But looking at the file I see very big differences
in the file format.
For each CA there is much more information besides the
PEM data (which is the only thing in my ca-dff.crt).
It's pretty verbose including the fingerprint as well
as some plain text infos about the cert.
Maybe it is sorted out because these infos are missing?
I wonder how I can create such a format for my CA cert.
Do you have an idea?
Thanks
--
Torsten
> Same thing happened to me. Then I configured a CA certificate file and
> things went straight.
> The idea is that when the SSL handshake takes place, the server asks for a
> certificate which
> he will consider valid. That is signed by a trusted CA.
> The server sends what HE considers to be trusted CA's to the browser, and
> the browser filters
> the installed certificates, and shows only those signed by one of the
> server trusted CA's.
> IE5 seems a little stupid.. and if no certificate pass this condition he
> just presents an empty dialog.
> Just create a text file and drop there all your trusted CA's in PEM format,
> (those that say -----BEGIN CERTIFICATE----- )
> Just cat them all, one after another. You can even place comments in
> betweem then as mod_ssl will just parse
> from a -----BEGIN CERTIFICATE----- up to a -----END CERTIFICATE-----.
> Then add the directive
> SSLCACertificateFile certs/my_trusted_cas.crt
>
> Obviously replacing 'certs/my_trusted_cas.crt' by the path and name of the
> recently created file.
>
> Now just try again.
> mod_ssl distribution comes with a file named ca-bundle.crt containing the
> certificates for what netscape considers trusted CA's.
> You can use that one and add your ca-dff.crt in PEM format.
> Try yourself by adding and removing that entry and you'll see that when the
> browser ask you to select a certificate, the newly
> created cert will appear or not depending on the presence of 'ca-dff.crt'
> in that trusted CA's file of the server.
> Hope that helps you.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
