I hit that problem but it did not manifest in this way. Instead, the certs were unusable by the clients. We changed the configs in etc/openca/openssl/openssl to use sha1 instead of sha256 and all worked well.
I remember this one, now, and I think you already ensured the CA cert was in the Authorities section and not elsewhere and it was edited to be trusted for all three categories in the edit dialog. I have had some grief using dc certs as I've mentioned elsewhere, e.g. the same value shows up in both dc fields (haven't gotten an answer on that one yet), but not this problem. I think you said you also checked to ensure you were using the correct RA Operator cert and it was indeed issued by this CA. Just for kicks, have you evaluated the issuer filed of the RA Operator cert with the subject field of the CA cert? Is the CA cert a valid CA cert ( I forget offhand what the basic constraint is)? Is it self-signed? If not, do you have the signer installed? Those are a few of my thoughts. Hope they help jog something in your mind. Take care - John On Mon, 2009-01-12 at 12:42 -0500, Scott Rea wrote: > Chances are that you did not change the default signature hash (which is > SHA256 in this version), and your client machine does not support > signatures created with SHA256 > Either change the default algorithm to SHA1 or upgrade the client you > are using to connect to the interface > This has been discussed on the list recently I believe > -Scott > > > David W Blaine wrote: > > > > Thanks, John. > > > > I already ran into this using Postgres.... This patch is already > > installed. I am using DC style certificates (which is new to me and I > > had to change a bunch of the templates to support this). To reiterate, > > here is the errors I get: > > > > In IE 6, I get the error: > > > > Error Code: 700 > > > > > > The PKCS#7-object signals an error. The signature is not valid. > > > > PKCS#7-Error 7932039: OpenCA::PKCS7->parseDepth: There is a problem > > with the verification of the chain. ( error:7:certificate signature > > failure) > > > > > > > > > > > > > > > > In Firefox 3, I get the error: > > > > Error Code: 6203 > > The request is not signed! > > > > > > after a popup that states "sign is needed to proceed" > > > > ----------------------------------------------------------------- > > DAVID BLAINE, GCIA , CISSP > > GDLS-C Lead Information Risk Manager (LIRM) > > CSC > > > > 6000 E. 17 Mile Rd. Sterling Heights MI 48313 > > GIS | o: 586.825.7650 | c: 810.217.8041 | f: 586.825.8606 | > > dblai...@csc.com | www.csc.com > > > > This is a PRIVATE message. If you are not the intended recipient, > > please delete without copying and kindly advise us by e-mail of the > > mistake in delivery. > > NOTE: Regardless of content, this e-mail shall not operate to bind CSC > > to any order or other contract unless pursuant to explicit written > > agreement or government initiative expressly permitting the use of > > e-mail for such purpose. > > ------------------------------------------------------------------------ > > > > ------------------------------------------------------------------------------ > > This SF.net email is sponsored by: > > SourcForge Community > > SourceForge wants to tell your story. > > http://p.sf.net/sfu/sf-spreadtheword > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Openca-Users mailing list > > Openca-Users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/openca-users > > > -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsulli...@opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
