Hello again.
I am having the worst time trying to get a new server cert to allow ssl
connections to our new site. I am going to explain everything I have done
in hopes that someone will see what I am doing wrong and let me know.
>1. I created a server cert request on IIS 6.0,
prepare it now and send it later.
Assign it a name; Dev.
Bit length 1024
<Did not select Cryptographic service provider for this certificate>
Completed the wizard and saved to a file.
>2. Moved file to Linux box and issued the following command to sign cert.
openssl ca -policy policy_anything -out demo.cer -config
/usr/openssl.cnf -infiles certreq.txt
Got the following:
Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
commonName :PRINTABLE:'dev.demo.org'
organizationalUnitName:PRINTABLE:'DEMO2'
organizationName :PRINTABLE:'DEMO'
localityName :PRINTABLE:'Arlington'
stateOrProvinceName :PRINTABLE:'Virginia'
countryName :PRINTABLE:'US'
Certificate is to be certified until Feb 4 18:21:54 2007 GMT (1825 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
>3. Moved cert back to Windows box and Installed server cert and root cert
into IIS.
Root cert shows up in store
Still not able to connect to site, either I receive an empty user cert box
or the browser hangs while trying to connect to the site.
>4. Issue the following command and see that my root cert is not in the
list of Client Certificate CA Names sent.
openssl s_client -connect dev.demo.org:443 -prexit
CONNECTED(00000003)
depth=0 /C=US/ST=Virginia/L=Arlington/O=DEMO/OU=DEMO2/CN=dev.demo.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=Virginia/L=Arlington/O=DEMO/OU=DEMO2/CN=dev.demo.org
verify error:num=26:unsupported certificate purpose
verify return:1
depth=0 /C=US/ST=Virginia/L=Arlington/O=DEMO/OU=DEMO2/CN=dev.demo.org
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=Virginia/L=Arlington/O=DEMO/OU=DEMO2/CN=dev.demo.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=Virginia/L=Arlington/O=DEMO /OU=DEMO2/CN=dev.demo.org
i:/C=US/ST=Virginia/L=Arlington/O=DEMO1/OU=DEMO2/CN=www.demo.org/Email=thash
@bbn.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDqzCCAxSgAwIBAgICANcwDQYJKoZIhvcNAQEEBQAwgYgxCzAJBgNVBAYTAlVT
MREwDwYDVQQIEwhWaXJnaW5pYTESMBAGA1UEBxMJQXJsaW5ndG9uMQ4wDAYDVQQK
EwVEQVJQQTENMAsGA1UECxMEREFNTDEVMBMGA1UEAxMMd3d3LmRhbWwub3JnMRww
GgYJKoZIhvcNAQkBFg10aGFzaEBiYm4uY29tMB4XDTAyMDMxMjE1NTgxOVoXDTA3
MDMxMTE1NTgxOVowdTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCFZpcmdpbmlhMRIw
EAYDVQQHEwlBcmxpbmd0b24xGTAXBgNVBAoTEEJCTiBUZWNobm9sb2dpZXMxDTAL
BgNVBAsTBERBTUwxFTATBgNVBAMTDGRldi5kYW1sLm9yZzCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEA1sN2aCZRuIcmOJKC8n/VCsbuNehKJiYBS1n7vxx9rcxL
eyhXbTXzF5Kd019ewUq25WTKhptW/ZYEux4nnDqT23xcCGgR/samwuLo2iiDzV/0
6En21JUgpkdKgKlZH7FkuylO9iHteLpe73JppvtfUTSd4WWAo8u2sTT6qmsmrBsC
AwEAAaOCATQwggEwMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgSwMAsGA1Ud
DwQEAwIF4DAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm
aWNhdGUwHQYDVR0OBBYEFKr1bfhwYQUF5jTqu79WnvhHtwkUMIG1BgNVHSMEga0w
gaqAFDaHpWVYqrXU+9m6FQcYkE/9cfuWoYGOpIGLMIGIMQswCQYDVQQGEwJVUzER
MA8GA1UECBMIVmlyZ2luaWExEjAQBgNVBAcTCUFybGluZ3RvbjEOMAwGA1UEChMF
REFSUEExDTALBgNVBAsTBERBTUwxFTATBgNVBAMTDHd3dy5kYW1sLm9yZzEcMBoG
CSqGSIb3DQEJARYNdGhhc2hAYmJuLmNvbYIBADANBgkqhkiG9w0BAQQFAAOBgQB+
oVJocQdY9MLw/98P0gpq9F3fk73EdJXA9j/2x88wqaeIPhybsqvUlFXSZBKtm+AC
i/PYfxdTPrSmVvD/UsW2/n7hVztZHgt4JfPeJ0cEdDS5/Hsp7SpH+f8yzxnLwxz7
nWbs0hAXPtiZX/AKRgJwZi9MnSAjo63MmViuYuFFVA==
-----END CERTIFICATE-----
subject=/C=US/ST=Virginia/L=Arlington/O=DEMO /OU=DEMO2/CN=dev.demo.org
issuer=/C=US/ST=Virginia/L=Arlington/O=DEMO1/OU=DEMO2/CN=www.demo.org/Email=
thash
@bbn.com
---
No client certificate CA names sent
---
SSL handshake has read 1088 bytes and written 318 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID:
F90F0000B04BC2CAAE113E0D712ACA02C60B40B1BD39129CA6A75C3412945C00
Session-ID-ctx:
Master-Key:
4A75F30EE3C3A92B92A81C124D795C2F6F974E7C8C2C06A95D14A5FB31FF44B2
C7B54DC17E83943053F212B76EFAAC9A
Key-Arg : None
Start Time: 1015966110
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
Anymore idea's? I have tried everything I have received as a response thus
far, and am truly appreciative of the responses I have received. Is the way
I am requesting the cert to be signed correct? Could it be something in the
openssl.cnf file that is not making the cert an actual server cert, although
it is being accepted as one in IIS ?
Thanks in Advance, Again......
Brandon
Brandon Amundson
BBN Technologies
LAB: 703 284 8189
[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
