Mistake in getting Verisign Certificate
As seen in subject a collegue of mine requested a Global ID certificate from Verisign for Microsoft IIS, but we need to use it with Apache + ModSSL + PHP on Win NT 4.0. When we received the Verisign mail with the certificate I thaught it was the same for Apache and I tried to install it, but Apache+ModSSL complained it was a wrong certificate. Investigating further on the Verisign Web site, they say that for IIS to work fine I have to download a microsoft piece of software "sgcinst.exe". I downloaded it and I run it against the certificate Verisign sent to us by e-mail. the sintax for that utility is : USAGE: sgcinst [-?] [-v] [-c] [-i] [-r] [-o outputfile] inputfile Invalid Parameter: Input filename required. -? This help message -v Verbose output -c Confirm - check to see if intermediate certificates were installed -i Install intermediate certificate - requires Administrator privileges -r File contains root certificate, ignore it -o Name of server certificate to install with IIS' key manager This tool does two things: Install the intermediate certificates necessary for SGC to work properly on a server. The intermediate certificates MUST be installed on EVERY server. Parse out the server certificate that the IIS' key manager needs to install. sgcinst: Failed while processing parameters so I issued the following command sgcinst -v -i -o server.crt verisign.crt where verisign.crt is the e-mailed certificate server.crt is the output certificate I installed this generated certificate and everithing works fine except for : The CA that signed the certificate is not on the browsers list so browsers (Netscape and IE) complain that they cannot recognize the CA. I found that when I started the "sgcinst.exe" program it added something on the Win NT registry, and it seems to be a new entry for the list of CA which in my case is : Issuer: O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign The question is: Is there a mode of extracting the information about CA from the verisign.crt or even from the registry to put it in the ca-bundle.crt ? Any advice will be very appreciated. --- "On a day not different than the one now dawning, Leonardo drew the first strokes of the Mona Lisa, Shakespeare wrote the first words of Hamlet, and Beethoven began work on his Ninth Symphony." And Windows98 Crashed! --- Francesco D'Inzeo WinTech S.r.l. Via Lisbona 7 35127 PADOVA (Italy) Tel. (+39)-(0)49-8703033 Fax. (+39)-(0)49-8703045 e-mail [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Mistake in getting Verisign Certificate
It's actually relatively easy to pull certificates out of the NT registry. It requires IE4.0 or 5.0 (5.0 works better), but here are the steps: 1) Go to Settings | Control Panel | Internet. 2) Click Content. 3) Under 'Certificates', click the Certificates button. 4) In the window that pops up, click on 'Intermediate Certification Authorities'. You should be able to then click on the appropriate certificate, and Export. (If you do not know the name of the SGC Intermediate Authority that you need to be using, you can put the SGC certificate that you received from VeriSign on an NT/IIS server, install the sgcinst.exe, and then connect to that server in secure mode from MSIE. This should allow you to double-click the lock icon, select the certificate that you don't have [in the 'certification chain' window, click on it, and then click 'View Certificate'], and export it to a file. [This is done under the Details tab, and Copy to File.]) Hope this helps. (I believe it gets exported in standard .der format, but I could be mistaken.) --- Mat Butler, Winged Wolf [EMAIL PROTECTED] SPASTIC Web Engineer SPASTIC Server Administrator Begin FurryCode v1.3 FCWw5amrsw A- C+ D H+++ M+[servercoder] P+ R++ T+++ W Z++ Sm++ RLCT/M*/LW* a cl/u/v+ !d e- f h++ iwf+++ j p-+ sm++ End FurryCode v1.3 On Wed, 12 Apr 2000, Francesco D'Inzeo wrote: As seen in subject a collegue of mine requested a Global ID certificate from Verisign for Microsoft IIS, but we need to use it with Apache + ModSSL + PHP on Win NT 4.0. When we received the Verisign mail with the certificate I thaught it was the same for Apache and I tried to install it, but Apache+ModSSL complained it was a wrong certificate. Investigating further on the Verisign Web site, they say that for IIS to work fine I have to download a microsoft piece of software "sgcinst.exe". I downloaded it and I run it against the certificate Verisign sent to us by e-mail. the sintax for that utility is : USAGE: sgcinst [-?] [-v] [-c] [-i] [-r] [-o outputfile] inputfile Invalid Parameter: Input filename required. -? This help message -v Verbose output -c Confirm - check to see if intermediate certificates were installed -i Install intermediate certificate - requires Administrator privileges -r File contains root certificate, ignore it -o Name of server certificate to install with IIS' key manager This tool does two things: Install the intermediate certificates necessary for SGC to work properly on a server. The intermediate certificates MUST be installed on EVERY server. Parse out the server certificate that the IIS' key manager needs to install. sgcinst: Failed while processing parameters so I issued the following command sgcinst -v -i -o server.crt verisign.crt where verisign.crt is the e-mailed certificate server.crt is the output certificate I installed this generated certificate and everithing works fine except for : The CA that signed the certificate is not on the browsers list so browsers (Netscape and IE) complain that they cannot recognize the CA. I found that when I started the "sgcinst.exe" program it added something on the Win NT registry, and it seems to be a new entry for the list of CA which in my case is : Issuer: O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign The question is: Is there a mode of extracting the information about CA from the verisign.crt or even from the registry to put it in the ca-bundle.crt ? Any advice will be very appreciated. --- "On a day not different than the one now dawning, Leonardo drew the first strokes of the Mona Lisa, Shakespeare wrote the first words of Hamlet, and Beethoven began work on his Ninth Symphony." And Windows98 Crashed! --- Francesco D'Inzeo WinTech S.r.l. Via Lisbona 7 35127 PADOVA (Italy) Tel. (+39)-(0)49-8703033 Fax. (+39)-(0)49-8703045 e-mail [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Mistake in getting Verisign Certificate
Also: If you have a problem connecting to your server with MSIE in secure mode (it returns a DNS error in IE5, or 'the server returned an invalid or unrecognized response' in IE4), you need to download the schannel.dll update from Microsoft (see Knowledge Base article Q247367). The reason for this is that the 'Incorp by Reference' certificate throws MS's validation algorithm screwy, and it's caused by an invalid key in the released version of MSIE 5.01. --- Mat Butler, Winged Wolf [EMAIL PROTECTED] SPASTIC Web Engineer SPASTIC Server Administrator Begin FurryCode v1.3 FCWw5amrsw A- C+ D H+++ M+[servercoder] P+ R++ T+++ W Z++ Sm++ RLCT/M*/LW* a cl/u/v+ !d e- f h++ iwf+++ j p-+ sm++ End FurryCode v1.3 On Wed, 12 Apr 2000, Francesco D'Inzeo wrote: As seen in subject a collegue of mine requested a Global ID certificate from Verisign for Microsoft IIS, but we need to use it with Apache + ModSSL + PHP on Win NT 4.0. When we received the Verisign mail with the certificate I thaught it was the same for Apache and I tried to install it, but Apache+ModSSL complained it was a wrong certificate. Investigating further on the Verisign Web site, they say that for IIS to work fine I have to download a microsoft piece of software "sgcinst.exe". I downloaded it and I run it against the certificate Verisign sent to us by e-mail. the sintax for that utility is : USAGE: sgcinst [-?] [-v] [-c] [-i] [-r] [-o outputfile] inputfile Invalid Parameter: Input filename required. -? This help message -v Verbose output -c Confirm - check to see if intermediate certificates were installed -i Install intermediate certificate - requires Administrator privileges -r File contains root certificate, ignore it -o Name of server certificate to install with IIS' key manager This tool does two things: Install the intermediate certificates necessary for SGC to work properly on a server. The intermediate certificates MUST be installed on EVERY server. Parse out the server certificate that the IIS' key manager needs to install. sgcinst: Failed while processing parameters so I issued the following command sgcinst -v -i -o server.crt verisign.crt where verisign.crt is the e-mailed certificate server.crt is the output certificate I installed this generated certificate and everithing works fine except for : The CA that signed the certificate is not on the browsers list so browsers (Netscape and IE) complain that they cannot recognize the CA. I found that when I started the "sgcinst.exe" program it added something on the Win NT registry, and it seems to be a new entry for the list of CA which in my case is : Issuer: O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign The question is: Is there a mode of extracting the information about CA from the verisign.crt or even from the registry to put it in the ca-bundle.crt ? Any advice will be very appreciated. --- "On a day not different than the one now dawning, Leonardo drew the first strokes of the Mona Lisa, Shakespeare wrote the first words of Hamlet, and Beethoven began work on his Ninth Symphony." And Windows98 Crashed! --- Francesco D'Inzeo WinTech S.r.l. Via Lisbona 7 35127 PADOVA (Italy) Tel. (+39)-(0)49-8703033 Fax. (+39)-(0)49-8703045 e-mail [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]