Thanks! Works now...
The client cert was in the wrong format... seems it needs to be .p12
not .crt!
Thanks alot! :)
--
Torsten
> As I told you, the things between -----BEGIN CERTIFICATE----- up to a
> -----END CERTIFICATE-----
> (including those tags) are the PEM encoded certificates. Everithing else is
> considered a comment.
> Actually you can create those comments with the help of openssl
> (http://www.openssl.org):
> openssl x509 -in mycert.crt -noout -text
> Or
> openssl x509 -in mycert.crt -inform DER -noout -text
> if your certificate is in DER format
>
> To convert a certificate from DER to PEM (native to mod_ssl) just do
> openssl x509 -in mydercert.crt -inform DER -out mypemcert
> and voila
>
> To just trust one CA, use the directive
> SSLCACertificateFile ca-dff.crt
>
> ENSURE your certificate is in PEM format (has -----BEGIN CERTIFICATE-----).
> If you later want to trust another CA, just cat the new cert to ca-dff.crt,
> always in PEM format.
>
> Once again, between -----END CERTIFICATE----- and the next -----BEGIN
> CERTIFICATE-----
> is all comment to mod_ssl, so dont worry about the missing info.
>
>
> Good luck
>
> Diego
>
>
> At 15:28 19/3/2001 +0100, you wrote:
> >Ah! With the ca-bundle.crt now at least my thawte cert works...
> >
> >But since I want only OUR CA to be trusted I need just the
> >ca-dff.crt instead of the ca-bundle.crt.
> >
> >But looking at the file I see very big differences
> >in the file format.
> >
> >For each CA there is much more information besides the
> >PEM data (which is the only thing in my ca-dff.crt).
> >It's pretty verbose including the fingerprint as well
> >as some plain text infos about the cert.
> >
> >Maybe it is sorted out because these infos are missing?
> >
> >I wonder how I can create such a format for my CA cert.
> >Do you have an idea?
> >
> >Thanks
> >--
> >Torsten
> >
> > > Same thing happened to me. Then I configured a CA certificate file and
> > > things went straight.
> > > The idea is that when the SSL handshake takes place, the server asks for a
> > > certificate which
> > > he will consider valid. That is signed by a trusted CA.
> > > The server sends what HE considers to be trusted CA's to the browser, and
> > > the browser filters
> > > the installed certificates, and shows only those signed by one of the
> > > server trusted CA's.
> > > IE5 seems a little stupid.. and if no certificate pass this condition he
> > > just presents an empty dialog.
> > > Just create a text file and drop there all your trusted CA's in PEM
> > format,
> > > (those that say -----BEGIN CERTIFICATE----- )
> > > Just cat them all, one after another. You can even place comments in
> > > betweem then as mod_ssl will just parse
> > > from a -----BEGIN CERTIFICATE----- up to a -----END CERTIFICATE-----.
> > > Then add the directive
> > > SSLCACertificateFile certs/my_trusted_cas.crt
> > >
> > > Obviously replacing 'certs/my_trusted_cas.crt' by the path and name of the
> > > recently created file.
> > >
> > > Now just try again.
> > > mod_ssl distribution comes with a file named ca-bundle.crt containing the
> > > certificates for what netscape considers trusted CA's.
> > > You can use that one and add your ca-dff.crt in PEM format.
> > > Try yourself by adding and removing that entry and you'll see that when
> > the
> > > browser ask you to select a certificate, the newly
> > > created cert will appear or not depending on the presence of 'ca-dff.crt'
> > > in that trusted CA's file of the server.
> > > Hope that helps you.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
