MSIE4, on my coworker's machine, fails to use its imported client
certificate, though the import of both the client and CA certificates is
successful. This is sucky, and gives me
an error message of:
[21/May/1999 16:08:15] [error] OpenSSL: error:1408909F:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:length mismatch
I thought perhaps this might be due to something in the way I generated
the certificates...
so, AFTER LOOKING THROUGH ABOUT 300 OLD OPENSSL-USERS LIST MESSAGES, I
decided to post here. Please flame gently if you must -- I'd like to
figure out what's going wrong here! So:
I have a delightful little openssl.cnf file that lets me make
certificates that work in (at least some) IE4 clients, of 512 bit
length, and... well, have a look at relevant sections:
[...]
[ req ]
default_bits = 512
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = City
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Macro International
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server, client
# For an object signing certificate this would be used.
#nsCertType = objsign
# For normal client use this is typical
#nsCertType = sslclient, email
# This is typical also
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# Import the email address.
subjectAltName=email:copy
# Copy subject details
issuerAltName=issuer:copy
#nsCaRevocationUrl = http://bucks.vermont.macroint.com/ssl/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[...]
issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
--
"Chaos, panic, and disorder -- my work here is done."
--Doc Technical
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
