> Hi all,
>
> I have generated a self signed root certification authority and an
> intermediate certification authority signed by the root CA using openssl
> 0.9.7g. The intermediate CA signed an apache 1 with mod-ssl SSL server
> certificate. Both the root and intermediate PEM certificates are placed
> in the file ca.crt pointed by the directive SSLCACertificateFile.
How about putting the intermediate CA-certificate in the file
ca.chain and let the directive SSLCertificateChainFile point
to it? SSLCACertificateFile is IMHO only for accepted CAs
for client authentication (so no wonder the server does not
accept the connection request, your browser does not have
an according client certificate).
Unfortunately it is not working. IE still cannot display the page and
Mozilla causes the following entry in error_log:
[Mon Jun 13 16:42:57 2005] [error] OpenSSL: error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN in
certificate not server name or identical to CA!?]
But CN is identical to server name and openssl verifies correctly the server
certificate. If both root and intermediate CA certificates are imported in
Mozilla the page is opened without problems. However the same thing does not
work in IE - the page cannot be displayed. I am realy confused.
> I would greatly appreciate any help, since I can not find any solution
> for this.
I hope it works as described above. Cheers,
Olaf
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED]
A daily view on Internet Attacks
https://www.ecsirt.net/sensornet
_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
