RE: MSIE5 and Netscape client certificates

Tue, 28 Sep 1999 16:01:53 -0700 

> >
> > 5. I also convert the demoCA/cacert.pem to PKCS#12:
> > openssl pkcs12 -export -in demoCA/cacert.pem -inkey
> private/cakey.pem -name
> > "MY_ORG CA" -certfile demoCA/cacert.pem -out thecacert.pfx
> >
>
> DO NOT DO THIS! If you do this with users you end up giving them the CA
> private key!! They can then impersonate the CA and issue certificates
> with any details they want in them.

Ok, so do I just strip that of the command?(-certfile demoCA/cacert.pem)
I just practically copied it from the FAQ.

> There are several ways to do this properly. In your description you
> appear to have included cacert.pem in the PKCS#12 file which is OK. IE5
> should automatically prompt you to add the CA certificate. Netscape
> should auto add the CA certificate as untrusted: you then just have to
> find it under signers and click the trust boxes.

Ok but you just told me not to include that file.

> Alternatively: you can strip any lines before the BEGIN and after END in
> cacert.pem and import that file. You can create a link pointing to
> cacert.pem that sends it as MIME type application/x-x509-ca-cert on a
> server.

Thats what I did, but did not strip off the BEGIN-END lines, did that affect
anything?

>
> > 2.With Netscape: I try to connect to the server but it says, "The
> > certificate
> > is not aproved for the attempted operation".
>
> This caused by problems with the server certificate or the server CA if
> you get this message as soon as you attempt to connect. Usually
> inappropriate certificate extensions: e.g. set up for SSL client.

Ok, So i have to add the nsCertType extensions when I create the CA, and
also
the servers certificate correct?

> > I go to the security tab, select Signers and the CA that I
> installed can be
> > verified succesfully, but the certificate in Yours says: Certificate
> > not trusted, reason that I think is because the above message apears.
>
> No you get something different if thats the case. I assume you've set
> the CA to be trusted for client certificates?

How do I do this? When creating the CA with CA.sh? Again, I followed the
FAQ.

> Steve.

Hj

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to