I'm no expert but it sounds like the list is quiet today so I'll chime
in. I'm assuming that error means either it can't find the CA cert or
your using a signing cert issued by a different CA. As I run several
different PKIs from the same browser, I think I've seen this error when
I've accidentally chosen the wrong RA Operator cert. Just a couple of
thoughts.
May I also suggest that you reply at the bottom of the emails. Top
posting makes it hard for anyone new to the thread to follow it (they'd
have to read it in reverse). Top posting is generally considered poor
etiquette on a mailing list.
Wish I could help more. Good luck - John
On Tue, 2008-12-30 at 13:20 -0500, David W Blaine wrote:
>
> OK slight improvement. I had imported the RA operator certificate into
> Firefox under "People" tab. This is incorrect. I deleted it from there
> and reimported it under the "Your Certificates" tab. Now the Firefox
> error matches the previously reported IE error:
>
> Error Code: 700
>
> The PKCS#7-object signals an error.
> The signature is not valid.
>
> PKCS#7-Error 7932039:
> OpenCA::PKCS7->parseDepth: There is
> a problem with the verification of
> the chain. ( error:7:certificate
> signature failure)
>
>
>
>
>
>
> -----------------------------------------------------------------
> DAVID BLAINE, GCIA , CISSP
> GDLS-C Lead Information Risk Manager (LIRM)
> CSC
>
> 6000 E. 17 Mile Rd. Sterling Heights MI 48313
> GIS | o: 586.825.7650 | c: 810.217.8041 | f: 586.825.8606 |
> dblai...@csc.com | www.csc.com
>
> This is a PRIVATE message. If you are not the intended recipient,
> please delete without copying and kindly advise us by e-mail of the
> mistake in delivery.
> NOTE: Regardless of content, this e-mail shall not operate to bind CSC
> to any order or other contract unless pursuant to explicit written
> agreement or government initiative expressly permitting the use of
> e-mail for such purpose.
>
>
> David W Blaine/GIS/c...@csc
>
> 12/30/2008 01:12 PM
> Please respond to
> "Users' Help and Suggestions"
> <openca-users@lists.sourceforge.net>
>
>
>
>
> To
> "Users' Help and
> Suggestions"
> <openca-users@lists.sourceforge.net>
> cc
> "Users' Help and
> Suggestions"
> <openca-users@lists.sourceforge.net>
> Subject
> Re:
> [Openca-Users]
> Signing CSR
>
>
>
>
>
>
>
>
> Hi John,
>
> Thanks for the reply.
>
> Yes I did set the 3 options in Firefox for the CA certificate when I
> imported it. I did have Firefox 3.0.4 installed now trying the latest
> 3.0.5. EDIT: no go same error with 3.0.5.
>
> I also have all 4 of the updates (plus the mail stuff and DBI.pm)
> installed that you listed.
>
>
> -----------------------------------------------------------------
> DAVID BLAINE, GCIA , CISSP
> GDLS-C Lead Information Risk Manager (LIRM)
> CSC
>
> 6000 E. 17 Mile Rd. Sterling Heights MI 48313
> GIS | o: 586.825.7650 | c: 810.217.8041 | f: 586.825.8606 |
> dblai...@csc.com | www.csc.com
>
> This is a PRIVATE message. If you are not the intended recipient,
> please delete without copying and kindly advise us by e-mail of the
> mistake in delivery.
> NOTE: Regardless of content, this e-mail shall not operate to bind CSC
> to any order or other contract unless pursuant to explicit written
> agreement or government initiative expressly permitting the use of
> e-mail for such purpose.
>
>
> "John A. Sullivan III"
> <jsulli...@opensourcedevel.com>
>
> 12/30/2008 12:42 PM
> Please respond to
> "Users' Help and Suggestions"
> <openca-users@lists.sourceforge.net>
>
>
>
> To
> "Users' Help and
> Suggestions"
> <openca-users@lists.sourceforge.net>
> cc
>
> Subject
> Re:
> [Openca-Users]
> Signing CSR
>
>
>
>
>
>
>
>
> On Tue, 2008-12-30 at 11:43 -0500, David W Blaine wrote:
> >
> > In IE 6, I get the error:
> >
> > Error Code: 700
> >
> >
> > The PKCS#7-object signals an error.
> > The signature is not valid.
> >
> > PKCS#7-Error 7932039:
> > OpenCA::PKCS7->parseDepth: There is
> > a problem with the verification of
> > the chain. ( error:7:certificate
> > signature failure)
> >
> >
> >
> >
> >
> >
> >
> > In Firefox 3, I get the error:
> >
> > Error Code: 6203
> >
> > The request is not signed!
> >
> > after a popup that states "sign is needed to proceed"
> >
> > I have checked both browsers and the RA and Root certificate look
> > properly imported.
> >
> > -----------------------------------------------------------------
> <snip><snip>
> >
> > I have this same problem. I checked the chain directory - and all
> is
> > ok there. It contains the cacert.crt and the chain. Permissions on
> the
> > file are 644 and owned by the web server account. I put in the
> patch
> > for viewCSR that Max posted in another thread. Can anyone else sign
> > their CSR's in Openca 1.0.2?
> >
> <snip>
> Hi, David. I can think of two possible issues. If I recall, when
> one
> imports the PKCS#12 package for the RA operator into the browser and
> it
> installs the CA cert, it does not set it as authorized to do much of
> anything. I believe I had to go into the CA cert in Firefox and
> check
> on the three check boxes for the various CA cert faculties.
>
> Or, it could be some of the bugs we hit which resulted in similar
> errors. I'm fighting my own deadline so I haven't cleaned this up
> but
> here is a cut and paste from our internal documentation:
>
> We need to patch the source code for some bugs in version 1.0.2.
>
> cd src/common/lib/cmds
>
> Backup the original versions:
>
> mv approveCSR{,.orig}
>
> mv viewCRR{,.orig}
>
> mv viewCert{,.orig}
>
> mv send_email_cert{,.orig}
>
> Move these backups to the base directory since they MUST not be
> installed in the cmds directory even as renamed files:
>
> mv *.orig ../../../../
>
> Download the new versions using wget from the following locations:
>
> http://ftp.openca.org/openca/openca-base/fixes/v1.0.2/Error_6295020/viewCert
>
> http://ftp.openca.org/openca/openca-base/fixes/v1.0.2/Error_6295020/send_email_cert
>
>
> http://ftp.openca.org/openca/openca-base/fixes/v1.0.2/Error_7221014/approveCSR
>
>
> http://ftp.openca.org/openca/openca-base/fixes/v1.0.2/Error_7221014/viewCRR
>
> Next we need to fix some spelling and grammar in the emails by
> patching
> the mails directory:
>
> cd ../mails (i.e., src/common/lib/mails)
>
> patch -p1 < opencamail-1.0.2.patch
>
> Now we need to patch DBI.pm
>
> cd ../../../modules/openca-dbi
>
> cp DBI.pm ../../../
>
> Apply the opencaDBI.pm-1.0.2.patch patch
>
> patch -p0 < opencaDBI.pm-1.0.2.patch
>
>
> I'll attach the two patches which are ours. I've submitted them to
> the
> OpenCA developers and do not know if they've been accepted. Frankly,
> I'm a perl ignoramus so they may not be very good patches. Good luck
> -
> John
> --
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsulli...@opensourcedevel.com
>
> http://www.spiritualoutreach.com
> Making Christianity intelligible to secular society
> [attachment "opencaDBI.pm-1.0.2.patch" deleted by David W
> Blaine/GIS/CSC] [attachment "opencamail-1.0.2.patch" deleted by David
> W Blaine/GIS/CSC]
> ------------------------------------------------------------------------------
>
>
> _______________________________________________
> Openca-Users mailing list
> Openca-Users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openca-users
>
>
> ------------------------------------------------------------------------------
>
>
> _______________________________________________
> Openca-Users mailing list
> Openca-Users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openca-users
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Openca-Users mailing list
> Openca-Users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openca-users
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsulli...@opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
------------------------------------------------------------------------------
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
