Hello Yngve, On Wed, 2005-28-09 at 14:54 +0200, Yngve Zackrisson wrote: ... > > > > Should I add a PKCS#12 cert file to the Mono Store (Machine store) > > > > (mono /.../certmgr.exe -add -c -m Trust server16-cert.p12) > > > > or add only the CA to the trust store > > > > (mono /.../certmgr.exe -add -c -m Trust cacert16t.cer) > > > > or anything else to get rid of this error message?. > > > > > > It must be either the user or machine Trusted store (otherwise you'll > > > get a trust error). > > > > OK. But witch certificate is preferable to add to the store?: > > > > a) mono /.../certmgr.exe -add -c -m Trust server16-cert.p12 > > > > or > > > > b) mono /.../certmgr.exe -add -c -m Trust cacert16t.cer
Trust is transitive, i.e. the server will be trusted if it's signer is trusted. So only the self-signed root certificate needs to be added to the Trust store. > > I also have a question about the trust of the root CA certificate. > > The cacert16t.cer above I have created with the following > > openssl commands: > > > > ... > > $ openssl x509 -in cacert16.pem -trustout -setalias "TrustedRootCert" > > -out cacert16t.pem > > > > $ openssl x509 -inform PEM -in cacert16t.pem -outform DER -out > > cacert16t.cer > > > > is the first openssl command necessary since the signed client > > and server certificates, or at least its root CA, > > should be added to the Windows/Mono (Trust) store?. > > > > > > > > Currently I use the cacert16t.pem file as -certfile > > when creating the client and server PKCS#12 files - > > with the openssl pkcs12 command. > > Will the cacert16.pem file be enough? I honestly don't know (without reading the man page myself). I don't use openssl much (for x.509 related stuff) because (a) it's formats aren't the one natively used in .NET and (b) I try to dogfood my own tools ;-) ... > > > Yesterday (after your previous email) I tried to use the MS runtime for > > > client certificate without success (same failure). Somehow MS does > > > something different* because the server can't verify the signature (and > > > it's not a key and/or decryption problem - the hash value is different > > > but the padding is ok). > > > > > > Using IE (with the SSL2 client hello) to do the same turned out another > > > problem, very similar to the bug #76254 reported today. > > > > > > [*] The client certificate testing is done with wget/openssl > > > (linux/cygwin) - which sadly doesn't seems enough :( > > > > Please let me know if you come up with some solution. > > > > I have been working with the HTTPS communication for some 2 months now, > > and my boss is eager to get an solution :-). Please open a bugzilla issue on bugzilla.ximian.com (e.g. "SSL client certificate doesn't work with IE."). That way you'll get notified as soon as (and whenever) I change the bug status. -- Sebastien Pouliot email: [EMAIL PROTECTED] blog: http://pages.infinit.net/ctech/ _______________________________________________ Mono-devel-list mailing list Mono-devel-list@lists.ximian.com http://lists.ximian.com/mailman/listinfo/mono-devel-list