System: Solaris running Apache 1.3.14, mod_ssl 2.7.1, openssl 0.9.6 with
Verisign global server id installed.
Problem: Netscape Navigator 4.74 complains that it doesn't recognize the
signer of the server cert.
I've followed the directions in mod_ssl for the global server id, and
checked the openssl and mod_ssl list archives, but I can't figure out how to
get Netscape to accept the cert as valid. Can anyone suggest a fix, or tell
me how to install the intermediate CA cert manually in Netscape (so it's
there the first time a user connects to my server)?
Details:
I've installed server.crt (my Verisign global server id, created for Apache)
where SSLCertificateFile points and ca.crt (the Verisign intermediate CA
cert) where SSLCertificateChainFile points.
Running make in my ssl.crt directory (to create the hash code links) gives
me an error on the ca.crt file:
unable to load certificate
1938:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:662:Expecting: TRUSTED CERTIFICATE
This doesn't seem to be the problem because Apache finds the file by name
using SSLCertificateChainFile, and IE gets the intermediate cert correctly.
In IE, I can see the certificate chain, root CA -> intermediate CA ->
server, and everything validates correctly. So it seems that Apache is
sending the intermediate cert, but NS ignores it.
At the moment the server name and the server cert CN are different, due to a
temporary DNS config. Both browsers report that, but Netscape reports the
signature problem first.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
