I have the same problem... (sort of)..
I have been trying a similar thing, and failing... I'm trying to be my own CA and generate a server cert so I can enable SSL on a IIS4 webserver. I made myself a CA by running the command... #openssl req -new -x509 -newkey rsa:1024 -md5 -keyout ./certs/CAkey.pem -out ./certs/CAcert.pem -days 365 Then I made a Certificate request in IIS Key Manager and signed it using the command... #openssl ca -policy policy_match -days 365 -md md5 -out ./certs/iis-ssl-cert.pem -keyfile ./certs/CAkey.pem -cert ./certs/CAcert.pem -outdir ./certs -infiles ./certs/iis-ssl-req.txt ... where iis-ssl-req.txt is the file from IIS Key Manager. I can then import the cert into IIS Key Manager and enable Secure Channel for my web server, but when I connect to https://secure-server, it gives me an error saying the cert is ok apart from the fact that it was " issued by a company you have chosen not to trust ". When I try importing the cert into IE, it imports it ok, but then it doesn't appear in the " Trusted Root Certificate Authorities ". So everytime I go to the site, it gives me the same error.... over & over.... If I rename the file from 'iis-ssl-cert.pem' to 'iis-ssl-cert.cer', Windows Exploder recognises it as a Security Certificate, when i double click, I get " Windows does not have enough information to verify this certificate " Any way.... I'm lost... I've gotten this far and it's really bugging me now... Can anyone help...????????? -----Original Message----- From: Sean O'Riordain [mailto:[EMAIL PROTECTED]] Sent: 17 October 2001 09:53 To: [EMAIL PROTECTED] Subject: Re: using own CA certs with various clients under windows 2000 (and nt4 afaik) with outlook 2000 and IE5 (don't know if works for "less" than this) you can install the certificate in each client by hand quite easily... if the file name has ending ".cer" then windows appears to recognize it and calls it "Security Certificate"... double click on this and hit "Install Certificate..." / Next / Next / Finish / OK / OK ... thats it... getting the cert to the client is another matter :-) Sean Haikel wrote: > > Hello, > > I think you have to install the CA certificates in your client > browser. I know two techniques you can use: > > 1. your client can download your CA certificate from you web site ( > you need to use the mime type application/x-x509-ca-cert in your > httpd.conf file) > 2. or you can generate, for each one of your end users, a PKCS#12 > file containing his private key his certificate and your > CA certificate > > I' hope that my answer, be helpful > bye > > Zachary Denison a écrit : > > > Hi, > > > > I am using openssl to secure a number of services in > > my organization: http, imap, smtp, ldap etc... > > > > For our internal servers we have been able to generate > > CA certs with openssl and sign our own certificates > > and all the services work great, EXCEPT the client > > software always complains that the certificate chain > > doesn't end with a trusted CA. I am speaking > > specifically about MS-outlook and netscape. outlook > > complains every single session where netscape at least > > gives you the option to accept the certificate > > forever. > > Anyway I am sure other clients would complain too. > > > > My question is how can I prevent these messages, how > > can I get the client software to trust our own CA > > cert. On the web I searched and someone said to make > > a pkcs12 client cert.. anyway I tried that in a number > > of ways and it didnt work... And I really dont care > > about verifying the client... I to just make the > > client trust the homegrown ca. > > > > Any help would be much appreciated. > > Thanks > > Zachary. > > > > __________________________________________________ > > Do You Yahoo!? > > Make a great connection at Yahoo! Personals. > > http://personals.yahoo.com > > > > _____________________________________________________________________ > > > > OpenSSL Project > > http://www.openssl.org > > User Support Mailing List > > [EMAIL PROTECTED] > > Automated List Manager > > [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] The information contained in this e-mail transmission is confidential and may be privileged. It is intended only for the addressee(s) stated above. If you are not an addressee, any use, dissemination, distribution, publication, or copying of the information contained in this e-mail is strictly prohibited. If you have received this e-mail in error, please immediately notify our IT Department by telephone at 353-1-6769333 or e-mail [EMAIL PROTECTED] and delete the e-mail from your system. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]