RE: are server certs different from client certs

Wed, 12 Feb 2003 20:20:08 -0800 

Dear Ebell & All,
        Indeed what you said is true.

        I copied the newly created self signed cert to the bundle of CA lists the
server would accept, and the connection goes through fine.

        Now, then I am to make my own private CA and then create a certificate
signed by my private CA.  Then the problem would be solved, for me.

        I know how to create a private CA (using the CA.sh -newca in the apps
directory of OpenSSL).

        What I am not aware is how to generate a certificate signed by my Private
CA in a C language program. Could one suggest how this is done.

Thanks again
rsr.



-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Gotz Babin-Ebell
Sent: Wednesday, February 12, 2003 10:38 PM
To: [EMAIL PROTECTED]
Subject: Re: are server certs different from client certs


Hello,

Chandrasekhar R S wrote:
> Hi all,
>       I have created a certificate using the following sequence of calls :
>
>       X509_new()
>       RSA_generate_key()
>             X509_set_version(cert,3)
>       ASN1_INTEGER_set(X509_get_serialNumber(cert),0)
>             X509_gmtime_adj(X509_get_notBefore(cert),0);
>       X509_gmtime_adj(X509_get_notAfter(cert),45);
>       X509_set_pubkey(cert,pk)
>             X509_set_issuer_name()
>             X509_set_subject_name()
>       X509_sign()

I assume: self signed certificate ?

>       Thus created certificate is working fine when registered with a server
> (ie., server is presenting the certificate and communication goes through
> fine).
>
>       Instead, the same certificate registered with a client, does not work.
The
> server mandated to authenticate the client, throws up an error :
>       "25199:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
> certificate returned:s3_srvr.c:1989:"

The server sends a list of trusted CA certs or client authentication.
If the client cert is self signed, it is not in this list so it is not
accepted as a valid client certificate.

Self signed certificates as end entity certificates are a quick hack.
You should (almost) always work with an (official or own) CA.

Bye

Goetz

--
Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0,  Fax: +49-(0)40 80 80 26 -126

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to