Thank you all for posting solutions.. It was just a matter of importing the rootCA into the client. On my systems (outlook and netscape), I just needed to import the rootCA and then it stopped complaining about all certs signed by that root. It seems to have worked.... Do I need to import the server cert as well?
--- Sean O'Riordain <[EMAIL PROTECTED]> wrote: > sorry, I was unclear - the client needs BOTH the > server cert and your CA > cert. > > what i did was i puts the certs in a shared > directory... and then each > machine that wanted them just double clicked on the > CA.cer and > server.cer ... done... > > cheers, > Sean > > Steve Barnes wrote: > > > > I have the same problem... (sort of).. > > > > I have been trying a similar thing, and failing... > I'm trying to be my own > > CA and generate a server cert so I can enable SSL > on a IIS4 webserver. > > > > I made myself a CA by running the command... > > > > #openssl req -new -x509 -newkey rsa:1024 -md5 > -keyout ./certs/CAkey.pem -out > > ./certs/CAcert.pem -days 365 > > > > Then I made a Certificate request in IIS Key > Manager and signed it using the > > command... > > > > #openssl ca -policy policy_match -days 365 -md md5 > -out > > ./certs/iis-ssl-cert.pem -keyfile > ./certs/CAkey.pem -cert ./certs/CAcert.pem > > -outdir ./certs -infiles ./certs/iis-ssl-req.txt > > > > ... where iis-ssl-req.txt is the file from IIS Key > Manager. > > > > I can then import the cert into IIS Key Manager > and enable Secure Channel > > for my web server, but when I connect to > https://secure-server, it gives me > > an error saying the cert is ok apart from the fact > that it was " issued by a > > company you have chosen not to trust ". When I try > importing the cert into > > IE, it imports it ok, but then it doesn't appear > in the " Trusted Root > > Certificate Authorities ". So everytime I go to > the site, it gives me the > > same error.... over & over.... > > > > If I rename the file from 'iis-ssl-cert.pem' to > 'iis-ssl-cert.cer', Windows > > Exploder recognises it as a Security Certificate, > when i double click, I get > > " Windows does not have enough information to > verify this certificate " > > > > Any way.... I'm lost... I've gotten this far and > it's really bugging me > > now... > > > > Can anyone help...????????? > > > > -----Original Message----- > > From: Sean O'Riordain [mailto:[EMAIL PROTECTED]] > > Sent: 17 October 2001 09:53 > > To: [EMAIL PROTECTED] > > Subject: Re: using own CA certs with various > clients > > > > under windows 2000 (and nt4 afaik) with outlook > 2000 and IE5 (don't know > > if works for "less" than this) you can install the > certificate in each > > client by hand quite easily... if the file name > has ending ".cer" then > > windows appears to recognize it and calls it > "Security Certificate"... > > double click on this and hit "Install > Certificate..." / Next / Next / > > Finish / OK / OK ... thats it... > > > > getting the cert to the client is another matter > :-) > > > > Sean > > > > Haikel wrote: > > > > > > Hello, > > > > > > I think you have to install the CA certificates > in your client > > > browser. I know two techniques you can use: > > > > > > 1. your client can download your CA > certificate from you web site ( > > > you need to use the mime type > application/x-x509-ca-cert in your > > > httpd.conf file) > > > 2. or you can generate, for each one of your > end users, a PKCS#12 > > > file containing his private key his > certificate and your > > > CA certificate > > > > > > I' hope that my answer, be helpful > > > bye > > > > > > Zachary Denison a écrit : > > > > > > > Hi, > > > > > > > > I am using openssl to secure a number of > services in > > > > my organization: http, imap, smtp, ldap etc... > > > > > > > > For our internal servers we have been able to > generate > > > > CA certs with openssl and sign our own > certificates > > > > and all the services work great, EXCEPT the > client > > > > software always complains that the certificate > chain > > > > doesn't end with a trusted CA. I am speaking > > > > specifically about MS-outlook and netscape. > outlook > > > > complains every single session where netscape > at least > > > > gives you the option to accept the certificate > > > > forever. > > > > Anyway I am sure other clients would complain > too. > > > > > > > > My question is how can I prevent these > messages, how > > > > can I get the client software to trust our own > CA > > > > cert. On the web I searched and someone said > to make > > > > a pkcs12 client cert.. anyway I tried that in > a number > > > > of ways and it didnt work... And I really dont > care > > > > about verifying the client... I to just make > the > > > > client trust the homegrown ca. > > > > > > > > Any help would be much appreciated. > > > > Thanks > > > > Zachary. > > > > > > > > > __________________________________________________ > > > > Do You Yahoo!? > > > > Make a great connection at Yahoo! Personals. > > > > http://personals.yahoo.com > > > > > > > > > _____________________________________________________________________ > > > > > > > > OpenSSL Project > > > > http://www.openssl.org > > > > User Support Mailing List > > > > [EMAIL PROTECTED] > > > > Automated List Manager > > > > [EMAIL PROTECTED] > > > ______________________________________________________________________ > > OpenSSL Project > http://www.openssl.org > > User Support Mailing List > [EMAIL PROTECTED] > > Automated List Manager > [EMAIL PROTECTED] > > > > The information contained in this e-mail > transmission is confidential > > and may be privileged. It is intended only for the > addressee(s) stated > > above. If you are not an addressee, any use, > dissemination, distribution, > > publication, or copying of the information > contained in this e-mail is > > strictly prohibited. If you have received this > e-mail in error, please > > immediately notify our IT Department by telephone > at 353-1-6769333 > > or e-mail [EMAIL PROTECTED] and delete > the e-mail from your > > system. > > > ______________________________________________________________________ > > OpenSSL Project > http://www.openssl.org > === message truncated === __________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
