"Kenneth R. Robinette" wrote:
>
> Problem:
>
> An Unix Apache/mod-ssl server .crt/.key pair
> generated from a .csr/.key signed by a self
> generated CA Cert on 32 bit Windows will not work
> with the Netscape 4.72 client running on Linux
> Redhat 6.2.
>
> However the same .csr/.key signed by the same
> self generated CA Cert on Redhat 6.2 Linux will
> work. It will also work with the Microsoft
> Explorer 5.50.4522.1800 running on Windows 98,
> regardless of where the .crt/.key pair was signed.
>
> The Netscape client fails with the message
> "OpenSSL: error:14094412: SSL
> outines:SSL3_READ_BYTES:sslv3 alert bad
> certificate" in the apache log file.
>
> It would appear that the Windows based OpenSSL ca
> program is not consistant with the Unix based
> OpenSSL ca program.
>
The two cases should be indentical with respect to the generated
certificates.
How are you generating the certificates (i.e. what precise command) and
how are you importing them into Netscape, presumably a PKCS#12 file?
You mention the "same self generated CA certificate". What do you mean
by "same"? Is this the same private key or the same DN? If it is the
same DN but different keys have you installed both CA certificates as
trusted in Apache? Its possible if the DNs are the same but the keys are
different that it is attempting to verify one certificate against the
other CA and causing a verify error as a result.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
