From: "Jennifer Arden" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: RE: Win32 CA signed Apache Server-Netscape .CRT Problem
Date sent: Fri, 19 Jan 2001 13:21:20 -0500
Send reply to: [EMAIL PROTECTED]
No, as I stated in BOTH cases the name is .crt and .key. It works in
the Linux signed case but not the Windows signed case. Both
cases use the same apache/mod-ssl setup on the same Linux
Redhat 6.0 system.
Ken
Ken
I think with Apache server. The cert must have the extension of .pem
I hope this help
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Kenneth R.
Robinette
Sent: Friday, January 19, 2001 1:14 PM
To: [EMAIL PROTECTED]
Subject: Re: Win32 CA signed Apache Server-Netscape .CRT Problem
Date sent: Fri, 19 Jan 2001 17:24:55 +0000
From: Dr S N Henson <[EMAIL PROTECTED]>
Organization: S N Henson
To: [EMAIL PROTECTED]
Subject: Re: Win32 CA signed Apache Server-Netscape .CRT Problem
Send reply to: [EMAIL PROTECTED]
The .csr/.key is generated using the following commands:
openssl genrsa -out server.key 1024
openssl req -new -config /tmp/openssl.cnf -key server.key -out
server.csr
I then sign it with the openssl ca progam with a self generated/self
signed ca crt and key. I then transfer the resulting server.key and
server.csr to the Unix workstation and place in:
/usr/local/apache/ssl.crt/server.crt
/usr/local/apache/ssl.key/server.key
I start up the Apache server, then use the Microsoft Internet
Explorer on Windows 98 to connect to the Apache server.
Everything goes well, the Microsoft Explorer knows that the cert is
signed by a CA that is in it's list of CA certs, gives the proper
warning, etc. and it displays a dialog box asking if I wish to proceed.
I accept the yes button and the https page is displayed correctly.
I then login to the Redhat Linux system and start the Netscape client.
It states that it has received an improperly formatted cert and does
nothing more.
I then take the .csr and .key file mentioned above, tranfer both to the
Linux workstation and use the same openssl ca command to sign the
cert. I then transfer the resulting .crt and .key to the locations
shown above. I restart Apache, and try Netscape again. This time
it is happy and does much like the Microsoft Explorer, it displays a
dialog stating it does not know about the ca and asks if I would like
to add it.
Note that the .csr and .key are identical in both cases. In both
cases they have been created on the Windows workstation. Note
that the ca .crt and .key are identical in both cases. The only
difference is where the .csr and .key file for the server.crt is signed,
but the openssl ca program is provided the identical input and .cnf
file in both cases.
Note that in both cases, I have not imported anything into the
Explorer or Netscape. I am simply trying to connect to the www site
using a https: url to test the installation of the Apache/mod-ssl .crt
and .key file.
I have taken note that mod_ssl and a package called ssl.ca-0.1
make some nasty remarks about using the openssl.cnf as supplied
by OpenSSL and both in fact generate their own temporary
openssl.cnf files in the script used to call the openssl ca program. I
have tried the same on both Linux and Windows. It does not help
the Windows problem.
For the record, the ca cert and key were generated on the UNIX
system. They were then transfered to the Windows workstation.
So again, it appears that there is some subtle difference in
OpenSSL when used on a UNIX platform verses one used on a
Windows platform.
The important thing to note (I think) is only the Netscape client does
not like the cert received from the Apache/mod-ssl server. The
Microsft Explorer thinks it is ok, and other programs that I use with
the "problem" server cert likes it.
Ken
"Kenneth R. Robinette" wrote:
>
> Problem:
>
> An Unix Apache/mod-ssl server .crt/.key pair
> generated from a .csr/.key signed by a self
> generated CA Cert on 32 bit Windows will not work
> with the Netscape 4.72 client running on Linux
> Redhat 6.2.
>
> However the same .csr/.key signed by the same
> self generated CA Cert on Redhat 6.2 Linux will
> work. It will also work with the Microsoft
> Explorer 5.50.4522.1800 running on Windows 98,
> regardless of where the .crt/.key pair was signed.
>
> The Netscape client fails with the message
> "OpenSSL: error:14094412: SSL
> outines:SSL3_READ_BYTES:sslv3 alert bad
> certificate" in the apache log file.
>
> It would appear that the Windows based OpenSSL ca
> program is not consistant with the Unix based
> OpenSSL ca program.
>
The two cases should be indentical with respect to the generated
certificates.
How are you generating the certificates (i.e. what precise command) and
how are you importing them into Netscape, presumably a PKCS#12 file?
You mention the "same self generated CA certificate". What do you mean
by "same"? Is this the same private key or the same DN? If it is the
same DN but different keys have you installed both CA certificates as
trusted in Apache? Its possible if the DNs are the same but the keys are
different that it is attempting to verify one certificate against the
other CA and causing a verify error as a result.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__________________________________________________
Support
InterSoft International, Inc.
Voice: 888-823-1541, International 281-398-7060
Fax: 888-823-1542, International 281-560-9170
[EMAIL PROTECTED]
http://www.securenetterm.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__________________________________________________
Support
InterSoft International, Inc.
Voice: 888-823-1541, International 281-398-7060
Fax: 888-823-1542, International 281-560-9170
[EMAIL PROTECTED]
http://www.securenetterm.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
