I am using Openssl 1.0.0a (on Solaris 10) as a basic CA. I use this to
sign SSL certificates for various internal servers (web, e-mail etc.)
I recently used the "openssl ca" command to renew the CA's machine
own public certificate. The modulus (public key) of the new
certificate is the same as the old one. I put the new cert on an
internal web page so that users could install it.
On Windows (XP, 2003, Win 7) users can use Internet Explorer to install
the certificate as a trusted root certificate. (If an admin, this can
be installed for the computer rather than just the user.) IE and
Outlook and any other apps that rely on the Windows/IE cert store are OK.
Firefox (various version) on Windows now complains that a server is not
trusted when I connect to an internal site, even if the new CA
certificate has been installed.
On linux, firefox, thunderbird and google-chrome also complain. If I
generate a new server certificate it seems to be OK. It seems that
Firefox and some other apps do not like server certificates that are
older than the CA certificate. Is this correct?
FYI Citrix XenApp Receiver ver 11 for Linux has problems. It seemed
to just ignored the updated certificate. Citrix XenApp Receiver ver 12
did not.
- Renewed CA's own cert, IE still trusted signed sites but f... Gaiseric Vandal
-
