Hi all,
I posted the same problems a few weeks back, I have only
succesfully installed both the CA and the client certificate
in both Netscape and MSIE 5 (Just follow the PKCS#12 FAQ):
FOR THE CA:
1. Went to a new directory and did: CA.sh -newca. This created a demoCA
directory
that has the CA certificate and key in cacert.pem and the private key in
private/cakey.pem
2. Then added more days for that certificate:
openssl x509 -in demoCA/cacert.pem -days 1024 -out newcert.pem -signkey
demoCA/private/cakey.pem
3. Then I replaced demoCA/cacert.pem with newcert.pem generated with the
last command
FOR THE CLIENT CERTS:
1. Modify the openssl.cfg: comment nsCertType line (THIS I DIDNīT DO BECAUSE
I WAS
TESTING FOR NETSCAPE BROWSER AND HAD nsCertType=client, mail, objsign, it
worked
any way, MSIE 5 recognized the netscape extensions)
2. Create the client request with: CA.sh -newreq
3. Sign the request with: CA.sh -signreq
4. Convert to PKCS#12 with:
openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -name "PERSONAL
CERTIFICATE" -certfile
demoCA/cacert.pem -out thecert.pfx
5. I also convert the demoCA/cacert.pem to PKCS#12:
openssl pkcs12 -export -in demoCA/cacert.pem -inkey private/cakey.pem -name
"MY_ORG CA" -certfile demoCA/cacert.pem -out thecacert.pfx
Then I only import thecert.pfx file and tell MSIE 5 to put it in the
Personal Store and it gets added.
I also import the thecacert.pfx but put it in the Trusted Sites Store so
that when the server sends itīs certificate (signed with my CA)
the MSIE 5 browser knows it can trust it and not put a warning message.
The problems I have right now are:
1. With MSIE 5: when the server asks for a client
certificate, a window apears telling me to select a certificate to
send to the server, but none apears in the list, and I do have one
imported in the Personal Store.
2.With Netscape: I try to connect to the server but it says, "The
certificate
is not aproved for the attempted operation".
I go to the security tab, select Signers and the CA that I installed can be
verified succesfully, but the certificate in Yours says: Certificate
not trusted, reason that I think is because the above message apears.
I have a Netscape Enterprise Server and when the error ocurrs,
the server log files say:
[28/Sep/1999:11:36:21] failure (28995): Error receiving connection
(SSL_ERROR_BAD_CERT_ALERT - the server cannot verify your certificate.)
Am I still missing something?
Hector Jimenez @ QoS Labs
Hj
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
