Sorry. the problem still appear. The client certificate and ssl server(IIS 5.0) certificate were signed by the same CA. The signing operation is wrong after I add "extendedKeyUsage = clientAuthentication" in the openssl.cnf. I think openssl don't identify this extendsion, it only "identify nsCerttype = cient,email"
Hao --------------------- Just make sure that, ur client certificate signer's certificate is trusted by ur ssl/tls server and if this is not the case then whether ur client certificate has extendedKeyUsage=clientAuthentication as one of the v3 extentions (many server require this EKU to be present in client cert). Thanks Aslam -----Original Message----- From: shihao [mailto:[EMAIL PROTECTED]] Sent: Monday, April 22, 2002 11:19 AM To: [EMAIL PROTECTED] Subject: Why my browser can not identify the certificate! Dear all, I have signed personal certificate and install it in the browser,Outlook Express have identify it and I can sign or encrpt the Email. But when I connect my web server which require client certificate, web browser can not identify the certificate, can somebody tell me why? Your help will be appreciated! Hao 04/22/2002 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]