Hey all. I have a problem I need to solve.
I am testing an SSL client app, and Need to verify that SSL
certificate chains are handled correctly. So I took my root CA cert,
and used it to sign another cert. I then used that cert to sign a
cert for my server.
I installed the cert on my server, and installed the intermediate CA
as a chain using the SSLCertificateChainFile directive in the Apache
httpd.conf. Sounds right to me, and that is what the online Apache
docs say to do.
But . . .
When I try to connect to the server via Netscape on the secure port, I
get the following popup:
The security library has encountered an improperly formatted
DER-encoded message.
Any ideas?
I am including the x509 output of my intermediate below. I notice
that the CA constraint is false. Does this have anything to do with
the problem? I am guessing it does, but how do I fix this? I have
been all over the online docs, so I am fairly certain that I am just
not seeing what's in front of me, or my antennae are just not picking
up the right stations :)
I appreciate any help.
This is what my intermediate CA looks like:
$ openssl x509 -text -in Int_CA2.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 32 (0x20)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=Massachusetts, L=Woburn, O=Mirror Image Internet,
OU=Engineering, CN=Louis [EMAIL PROTECTED]
Validity
Not Before: Sep 18 20:25:12 2001 GMT
Not After : Sep 18 20:25:12 2002 GMT
Subject: C=US, ST=Massachusetts, O=Mirror Image, O=Mirror Image Internet,
OU=Engineering, CN=Louis LeBlanc [EMAIL PROTECTED]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:e6:57:dd:8c:85:0c:7f:fd:28:cf:0b:af:eb:ba:
26:ef:22:79:df:33:2c:ca:74:eb:1f:0c:15:a3:45:
39:68:b9:fe:e9:f0:3c:9f:a3:f6:94:59:b4:02:b5:
6b:a9:0a:8e:9b:86:f5:1d:7c:13:f7:d2:cc:68:0c:
b0:82:a9:47:90:a3:45:0f:f1:b8:6b:71:18:ff:e5:
6c:26:fd:61:7c:5b:f2:ae:97:ac:e4:5e:45:6f:14:
b4:71:0d:a0:78:97:69:d5:ad:85:2f:29:58:c8:70:
06:79:bd:0f:92:3f:10:3f:f6:f1:1a:a3:94:b1:81:
a3:8f:57:e7:51:24:ae:4f:8d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
61:25:7A:4D:A2:85:95:C2:8D:6D:84:A8:D7:BB:31:7F:4A:E0:0B:04
X509v3 Authority Key Identifier:
DirName:/C=US/ST=Massachusetts/L=Woburn/O=Mirror Image
Internet/OU=Engineering/CN=Louis [EMAIL PROTECTED]
serial:00
Signature Algorithm: md5WithRSAEncryption
2a:d5:1a:50:13:be:f4:0b:d3:25:6c:d0:89:43:4a:4c:5e:ac:
7c:41:07:71:30:6d:69:3d:de:b0:36:8d:b4:f0:0a:35:1e:c6:
47:25:80:cb:2b:3c:a6:f6:6b:09:7c:25:62:4a:5d:07:f5:4b:
ed:31:a9:c3:9e:64:b9:d9:f9:23:fa:ad:37:13:7c:8b:cb:27:
fe:a0:0d:35:8c:19:84:e7:a6:4b:6b:ae:df:90:0e:36:84:97:
96:45:b4:42:5c:2e:63:18:74:f6:7a:3c:b7:08:64:68:39:48:
55:ce:96:7a:14:33:7c:21:e8:d7:0f:77:37:2b:55:fa:aa:24:
fe:1d
Thanks
Lou
--
Louis LeBlanc [EMAIL PROTECTED]
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://acadia.ne.mediaone.net ԿԬ
QOTD:
"It seems to me that your antenna doesn't bring in too many
stations anymore."
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]