Hi Brandon, Have you imported the public root certificate into your browser before trying to connect to the webserver? Otherwise, your browser won't recognize the certificate.
Best regards, Huibert Quoting Brandon Amundson <[EMAIL PROTECTED]>: > Hello again. > > I am having the worst time trying to get a new server cert to allow ssl > connections to our new site. I am going to explain everything I have done > in hopes that someone will see what I am doing wrong and let me know. > > >1. I created a server cert request on IIS 6.0, > prepare it now and send it later. > Assign it a name; Dev. > Bit length 1024 > <Did not select Cryptographic service provider for this certificate> > > Completed the wizard and saved to a file. > > >2. Moved file to Linux box and issued the following command to sign > cert. > openssl ca -policy policy_anything -out demo.cer -config > /usr/openssl.cnf -infiles certreq.txt > > Got the following: > > Using configuration from /usr/local/ssl/openssl.cnf > Enter PEM pass phrase: > Check that the request matches the signature > Signature ok > The Subjects Distinguished Name is as follows > commonName :PRINTABLE:'dev.demo.org' > organizationalUnitName:PRINTABLE:'DEMO2' > organizationName :PRINTABLE:'DEMO' > localityName :PRINTABLE:'Arlington' > stateOrProvinceName :PRINTABLE:'Virginia' > countryName :PRINTABLE:'US' > Certificate is to be certified until Feb 4 18:21:54 2007 GMT (1825 days) > Sign the certificate? [y/n]:y > > > 1 out of 1 certificate requests certified, commit? [y/n]y > Write out database with 1 new entries > Data Base Updated > > >3. Moved cert back to Windows box and Installed server cert and root > cert > into IIS. > > Root cert shows up in store > Still not able to connect to site, either I receive an empty user cert > box > or the browser hangs while trying to connect to the site. > > >4. Issue the following command and see that my root cert is not in the > list of Client Certificate CA Names sent. > > > > openssl s_client -connect dev.demo.org:443 -prexit > CONNECTED(00000003) > depth=0 /C=US/ST=Virginia/L=Arlington/O=DEMO/OU=DEMO2/CN=dev.demo.org > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 /C=US/ST=Virginia/L=Arlington/O=DEMO/OU=DEMO2/CN=dev.demo.org > verify error:num=26:unsupported certificate purpose > verify return:1 > depth=0 /C=US/ST=Virginia/L=Arlington/O=DEMO/OU=DEMO2/CN=dev.demo.org > verify error:num=27:certificate not trusted > verify return:1 > depth=0 /C=US/ST=Virginia/L=Arlington/O=DEMO/OU=DEMO2/CN=dev.demo.org > verify error:num=21:unable to verify the first certificate > verify return:1 > --- > Certificate chain > 0 s:/C=US/ST=Virginia/L=Arlington/O=DEMO /OU=DEMO2/CN=dev.demo.org > > i:/C=US/ST=Virginia/L=Arlington/O=DEMO1/OU=DEMO2/CN=www.demo.org/Email=thash > @bbn.com > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIDqzCCAxSgAwIBAgICANcwDQYJKoZIhvcNAQEEBQAwgYgxCzAJBgNVBAYTAlVT > MREwDwYDVQQIEwhWaXJnaW5pYTESMBAGA1UEBxMJQXJsaW5ndG9uMQ4wDAYDVQQK > EwVEQVJQQTENMAsGA1UECxMEREFNTDEVMBMGA1UEAxMMd3d3LmRhbWwub3JnMRww > GgYJKoZIhvcNAQkBFg10aGFzaEBiYm4uY29tMB4XDTAyMDMxMjE1NTgxOVoXDTA3 > MDMxMTE1NTgxOVowdTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCFZpcmdpbmlhMRIw > EAYDVQQHEwlBcmxpbmd0b24xGTAXBgNVBAoTEEJCTiBUZWNobm9sb2dpZXMxDTAL > BgNVBAsTBERBTUwxFTATBgNVBAMTDGRldi5kYW1sLm9yZzCBnzANBgkqhkiG9w0B > AQEFAAOBjQAwgYkCgYEA1sN2aCZRuIcmOJKC8n/VCsbuNehKJiYBS1n7vxx9rcxL > eyhXbTXzF5Kd019ewUq25WTKhptW/ZYEux4nnDqT23xcCGgR/samwuLo2iiDzV/0 > 6En21JUgpkdKgKlZH7FkuylO9iHteLpe73JppvtfUTSd4WWAo8u2sTT6qmsmrBsC > AwEAAaOCATQwggEwMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgSwMAsGA1Ud > DwQEAwIF4DAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm > aWNhdGUwHQYDVR0OBBYEFKr1bfhwYQUF5jTqu79WnvhHtwkUMIG1BgNVHSMEga0w > gaqAFDaHpWVYqrXU+9m6FQcYkE/9cfuWoYGOpIGLMIGIMQswCQYDVQQGEwJVUzER > MA8GA1UECBMIVmlyZ2luaWExEjAQBgNVBAcTCUFybGluZ3RvbjEOMAwGA1UEChMF > REFSUEExDTALBgNVBAsTBERBTUwxFTATBgNVBAMTDHd3dy5kYW1sLm9yZzEcMBoG > CSqGSIb3DQEJARYNdGhhc2hAYmJuLmNvbYIBADANBgkqhkiG9w0BAQQFAAOBgQB+ > oVJocQdY9MLw/98P0gpq9F3fk73EdJXA9j/2x88wqaeIPhybsqvUlFXSZBKtm+AC > i/PYfxdTPrSmVvD/UsW2/n7hVztZHgt4JfPeJ0cEdDS5/Hsp7SpH+f8yzxnLwxz7 > nWbs0hAXPtiZX/AKRgJwZi9MnSAjo63MmViuYuFFVA== > -----END CERTIFICATE----- > subject=/C=US/ST=Virginia/L=Arlington/O=DEMO /OU=DEMO2/CN=dev.demo.org > > issuer=/C=US/ST=Virginia/L=Arlington/O=DEMO1/OU=DEMO2/CN=www.demo.org/Email= > thash > @bbn.com > --- > No client certificate CA names sent > --- > SSL handshake has read 1088 bytes and written 318 bytes > --- > New, TLSv1/SSLv3, Cipher is RC4-MD5 > Server public key is 1024 bit > SSL-Session: > Protocol : TLSv1 > Cipher : RC4-MD5 > Session-ID: > F90F0000B04BC2CAAE113E0D712ACA02C60B40B1BD39129CA6A75C3412945C00 > Session-ID-ctx: > Master-Key: > 4A75F30EE3C3A92B92A81C124D795C2F6F974E7C8C2C06A95D14A5FB31FF44B2 > C7B54DC17E83943053F212B76EFAAC9A > Key-Arg : None > Start Time: 1015966110 > Timeout : 300 (sec) > Verify return code: 21 (unable to verify the first certificate) > > > > > Anymore idea's? I have tried everything I have received as a response thus > far, and am truly appreciative of the responses I have received. Is the way > I am requesting the cert to be signed correct? Could it be something in the > openssl.cnf file that is not making the cert an actual server cert, > although > it is being accepted as one in IIS ? > > Thanks in Advance, Again...... > > Brandon > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Brandon Amundson > BBN Technologies > LAB: 703 284 8189 > [EMAIL PROTECTED] > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]