Daniel,
I'm having a little problem reading the code since some of the lines got
broken in odd places by your mail client.. However, I would think you would
also need to import the CA certificate into the ROOT store of the account
under which IIS runs. Perhaps you have and that is what you meant when you
wrote
" ... I have generated my own self signed CA certificate unsing openssl and
I have imported it successfully into IE in the trusted CA list on the
machine running my web server. ..."
I confess I am not an IIS expert so this is just a quick guess.
Greg Stark
Ethentica, Inc.
[EMAIL PROTECTED]
----- Original Message -----
From: "Daniel Villeneuve" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, January 17, 2001 6:39 PM
Subject: Problem with client certificate with IIS 4.0
> I have a client program running on Linux Red Hat 7.0 and my web server
> is MS IIS 4.0.
> I have generated my own self signed CA certificate unsing openssl and I
> have imported it successfully into IE in the trusted CA list on the
> machine running my web server.
> I have also generated a certificate for my web server, signed it using
> my CA certificate and imported it successfully into IIS.
> My client program can connect successfully to my web server and my
> client program receive successfully the server certificate.
> My client program can access any web page on my web server without any
> problem if my web site doesn't require a client certificate.
> My problem is when my web site is configure to require a client
> certificate, my client program is unable to access any web page even if
> the server certificate verification was succeeded and the SSL_connect()
> was also succeeded. When my client program try to access a web page, it
> receive this message from the server "Forbiden 407..... Forbiden 407.7
> .... Contact your web server administrator to obtain a valid client
> certificate."
>
> Here it's how I have generated my certificates:
>
> For my self signed CA certificate:
> $ openssl genrsa -des3 -out MyCA.key 1024
> $ openssl req -new -x509 -days 365 -key MyCA.key -out MyCA.crt
> $ openssl pkcs12 -export -in MyCA.crt -inkey MyCA.key -out MyCA.pfx
> => the pkcs12 command is to have my ca certificate in pkcs12 format
> to be able to import it into IE.
>
> For my server certificate:
> $ openssl genrsa -des3 -out IIS.key 1024
> $ openssl req -new -key IIS.key -out IIS.csr
> $ openssl ca -cert MyCA.crt -in IIS.csr -keyfile MyCA.key -enddate
> 020101010000Z -out IIS.crt
> => here I specify a enddate to be sure the enddate of my server
> certificate is not after the enddate of my CA.
> => I also remove the text part before the ---BEGIN CERTIFICATE---
> from my file IIS.crt because IIS is not able to deal with this.
> $ openssl rsa -in IIS.key -outform NET -out IISnet.key
> => here I change the format of my server private key file to be
> able to import it into IIS.
>
> For my client certificate:
> $ openssl genrsa -des3 -out client.key 1024
> $ openssl req -new -key client.key -out client.csr
> $ openssl ca -cert MyCA.crt -in client.csr -keyfile MyCA.key -enddate
> 020101010000Z -out client.crt
> => here I specify a enddate to be sure the enddate of my client
> certificate is not after the enddate of my CA.
>
> Here it's my client program code:
> ...
> (whole lotta code snipped)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
