Re: R: Cert signed by own CA and IE
Genkin. I think I know what your problem is. You must add the issuer of the certificate to the certificate chain. The problem is that IE doesn't have the ROOT (isuuer) for the certificate and it must have the entire chain to consider it trusted. Place the issuer (I think Thpoon CA) to the certificate chain (usually ca-bundle.pem) so mod_ssl has a way to offer the entire certification chain to the browser. Right now this is not happening as IE can not retrieve the ROOT certificate from the sesion. Hope it works, drop me a line Diego - Original Message - From: "Arcady Genkin" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, May 16, 2001 10:01 PM Subject: Re: R: Cert signed by own CA and IE > "Andrea Cerrito" <[EMAIL PROTECTED]> writes: > > > > > > Connecting to a secure site with a certificate signed by own CA, IE > > > > > seems to provide no obvious way of permanently adding the cert to the > > > > > browser's configuration. As a result, a warning that "The security > > > > > certificate is issued by a company you have not chosen to trust..." is > > > > > displayed every time I'm trying to establish a connection. Is there a > > > > > fool-proof way to permanently add a certificate or tell IE that the CA > > > > > is to be trusted? > > > > > > > > Show Certificate / Install Certificate. > > > > > > I tried that, and it didn't work. It told me that the certificate was > > > installed successfully, but once I quit IE, restart it, and load the > > > page again, it displays the same warning again. > > > > > > The minimal html page I'm experimenting with is at https://www.thpoon.com > > > If anyone would try to install the certificate from it in IE: maybe I > > > did something wrong with configuration? > > > > I wasn't able to install it. Can u print your conf? > > You mean from httpd.conf? Since it's huge, I've posted it at > > http://www.thpoon.com/tmp/httpd.conf > > rather than sending to the list. The SSL-related stuff is at the > bottom of it. > > Thanks! > > p.s. This is a repost, since I have replied from a different email > address than the one I've subscribed from and I'm afraid that it > didn't come through. Sorry if this is a dupe. > -- > Arcady Genkin > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: R: Cert signed by own CA and IE
Looked at your config and its broken Missing SSLCertificateChainFile and SSLCACertificatePath or SSLCACertificateFile. Read thier significates. To build a SSLCACertificateFile you must cat PEM certificates in a single file (pretty convinient IMO). To build the SSLCertificateChainFile do the same with the server certificate plus the ROOT certificate, additionally SSLCertificateChainFile and SSLCertificateFile can be the same file. Diego - Original Message - From: "Arcady Genkin" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, May 16, 2001 10:01 PM Subject: Re: R: Cert signed by own CA and IE > "Andrea Cerrito" <[EMAIL PROTECTED]> writes: > > > > > > Connecting to a secure site with a certificate signed by own CA, IE > > > > > seems to provide no obvious way of permanently adding the cert to the > > > > > browser's configuration. As a result, a warning that "The security > > > > > certificate is issued by a company you have not chosen to trust..." is > > > > > displayed every time I'm trying to establish a connection. Is there a > > > > > fool-proof way to permanently add a certificate or tell IE that the CA > > > > > is to be trusted? > > > > > > > > Show Certificate / Install Certificate. > > > > > > I tried that, and it didn't work. It told me that the certificate was > > > installed successfully, but once I quit IE, restart it, and load the > > > page again, it displays the same warning again. > > > > > > The minimal html page I'm experimenting with is at https://www.thpoon.com > > > If anyone would try to install the certificate from it in IE: maybe I > > > did something wrong with configuration? > > > > I wasn't able to install it. Can u print your conf? > > You mean from httpd.conf? Since it's huge, I've posted it at > > http://www.thpoon.com/tmp/httpd.conf > > rather than sending to the list. The SSL-related stuff is at the > bottom of it. > > Thanks! > > p.s. This is a repost, since I have replied from a different email > address than the one I've subscribed from and I'm afraid that it > didn't come through. Sorry if this is a dupe. > -- > Arcady Genkin > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
R: R: Cert signed by own CA and IE
Sorry for delay, I was on beach... :) I saw you solved your problem. Great. --- Cordiali saluti / Best regards Andrea Cerrito ^^ Net.Admin @ Centro MultiMediale di Terni S.p.A. P.zzale Bosco 3A 05100 Terni IT Tel. +39 744 5441330 Fax. +39 744 5441372 > -Messaggio originale- > Da: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]Per conto di Paul-Catalin Oros > Inviato: venerdi 18 maggio 2001 17.59 > A: [EMAIL PROTECTED] > Oggetto: Re: R: Cert signed by own CA and IE > > > Hi Arcady! > > Have you solved your problem? I wasw able to install your > Certificate, after I installed your self-signed CA certificate. > Is it possible this to be the missing step in your testing? The > CA cert has to be added to your root auth., then you'll be able > to install the actual server certificate. > > Hope this help, > > Paul > > PS: I am using IE 5.0 > > On Wed, 16 May 2001, Arcady Genkin wrote: > > > "Andrea Cerrito" <[EMAIL PROTECTED]> writes: > > > > > > > > Connecting to a secure site with a certificate signed > by own CA, IE > > > > > > seems to provide no obvious way of permanently adding > the cert to the > > > > > > browser's configuration. As a result, a warning that > "The security > > > > > > certificate is issued by a company you have not chosen > to trust..." is > > > > > > displayed every time I'm trying to establish a > connection. Is there a > > > > > > fool-proof way to permanently add a certificate or tell > IE that the CA > > > > > > is to be trusted? > > > > > > > > > > Show Certificate / Install Certificate. > > > > > > > > I tried that, and it didn't work. It told me that the > certificate was > > > > installed successfully, but once I quit IE, restart it, and load the > > > > page again, it displays the same warning again. > > > > > > > > The minimal html page I'm experimenting with is at https://www.thpoon.com > > > If anyone would try to install the certificate from it in IE: maybe I > > > did something wrong with configuration? > > > > I wasn't able to install it. Can u print your conf? > > You mean from httpd.conf? Since it's huge, I've posted it at > > http://www.thpoon.com/tmp/httpd.conf > > rather than sending to the list. The SSL-related stuff is at the > bottom of it. > > Thanks! > > p.s. This is a repost, since I have replied from a different email > address than the one I've subscribed from and I'm afraid that it > didn't come through. Sorry if this is a dupe. > -- > Arcady Genkin > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] -- Bills travel through the mail at twice the speed of checks __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: R: Cert signed by own CA and IE
Paul-Catalin Oros <[EMAIL PROTECTED]> writes: > Have you solved your problem? I wasw able to install your > Certificate, after I installed your self-signed CA certificate. Is > it possible this to be the missing step in your testing? The CA cert > has to be added to your root auth., then you'll be able to install > the actual server certificate. Yes, it seems that I have solved the problem by pointing SSLCertificateChainFile to my ca.crt, with off-list help from another list member. It now works fine. In my opinion the easiest way of configuring IE to access sites with sertificates singed by own CAs is to put the CA's certificate in a URL and let the users click on it: the browser will pop up a dialogue to install a new root authority cert, and after that all is done. Thanks, -- Arcady Genkin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: R: Cert signed by own CA and IE
Hi Arcady! Have you solved your problem? I wasw able to install your Certificate, after I installed your self-signed CA certificate. Is it possible this to be the missing step in your testing? The CA cert has to be added to your root auth., then you'll be able to install the actual server certificate. Hope this help, Paul PS: I am using IE 5.0 On Wed, 16 May 2001, Arcady Genkin wrote: > "Andrea Cerrito" <[EMAIL PROTECTED]> writes: > > > > > > Connecting to a secure site with a certificate signed by own CA, IE > > > > > seems to provide no obvious way of permanently adding the cert to the > > > > > browser's configuration. As a result, a warning that "The security > > > > > certificate is issued by a company you have not chosen to trust..." is > > > > > displayed every time I'm trying to establish a connection. Is there a > > > > > fool-proof way to permanently add a certificate or tell IE that the CA > > > > > is to be trusted? > > > > > > > > Show Certificate / Install Certificate. > > > > > > I tried that, and it didn't work. It told me that the certificate was > > > installed successfully, but once I quit IE, restart it, and load the > > > page again, it displays the same warning again. > > > > > > The minimal html page I'm experimenting with is at https://www.thpoon.com > > > If anyone would try to install the certificate from it in IE: maybe I > > > did something wrong with configuration? > > > > I wasn't able to install it. Can u print your conf? > > You mean from httpd.conf? Since it's huge, I've posted it at > > http://www.thpoon.com/tmp/httpd.conf > > rather than sending to the list. The SSL-related stuff is at the > bottom of it. > > Thanks! > > p.s. This is a repost, since I have replied from a different email > address than the one I've subscribed from and I'm afraid that it > didn't come through. Sorry if this is a dupe. > -- > Arcady Genkin > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] -- Bills travel through the mail at twice the speed of checks __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: R: Cert signed by own CA and IE
"Andrea Cerrito" <[EMAIL PROTECTED]> writes: > > > > Connecting to a secure site with a certificate signed by own CA, IE > > > > seems to provide no obvious way of permanently adding the cert to the > > > > browser's configuration. As a result, a warning that "The security > > > > certificate is issued by a company you have not chosen to trust..." is > > > > displayed every time I'm trying to establish a connection. Is there a > > > > fool-proof way to permanently add a certificate or tell IE that the CA > > > > is to be trusted? > > > > > > Show Certificate / Install Certificate. > > > > I tried that, and it didn't work. It told me that the certificate was > > installed successfully, but once I quit IE, restart it, and load the > > page again, it displays the same warning again. > > > > The minimal html page I'm experimenting with is at https://www.thpoon.com > > If anyone would try to install the certificate from it in IE: maybe I > > did something wrong with configuration? > > I wasn't able to install it. Can u print your conf? You mean from httpd.conf? Since it's huge, I've posted it at http://www.thpoon.com/tmp/httpd.conf rather than sending to the list. The SSL-related stuff is at the bottom of it. Thanks! p.s. This is a repost, since I have replied from a different email address than the one I've subscribed from and I'm afraid that it didn't come through. Sorry if this is a dupe. -- Arcady Genkin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
R: Cert signed by own CA and IE
I wasn't able to install it. Can u print your conf? --- Cordiali saluti / Best regards Andrea Cerrito ^^ Net.Admin @ Centro MultiMediale di Terni S.p.A. P.zzale Bosco 3A 05100 Terni IT Tel. +39 744 5441330 Fax. +39 744 5441372 > -Messaggio originale- > Da: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]Per conto di Arcady Genkin > Inviato: mercoledi 16 maggio 2001 19.11 > A: [EMAIL PROTECTED] > Cc: Andrea Cerrito > Oggetto: Re: Cert signed by own CA and IE > > > "Andrea Cerrito" <[EMAIL PROTECTED]> writes: > > > > Connecting to a secure site with a certificate signed by own CA, IE > > > seems to provide no obvious way of permanently adding the cert to the > > > browser's configuration. As a result, a warning that "The security > > > certificate is issued by a company you have not chosen to trust..." is > > > displayed every time I'm trying to establish a connection. Is there a > > > fool-proof way to permanently add a certificate or tell IE that the CA > > > is to be trusted? > > > > > > Any pointers highly appreciated, > > > > Show Certificate / Install Certificate. > > I tried that, and it didn't work. It told me that the certificate was > installed successfully, but once I quit IE, restart it, and load the > page again, it displays the same warning again. > > The minimal html page I'm experimenting with is at https://www.thpoon.com > If anyone would try to install the certificate from it in IE: maybe I > did something wrong with configuration? > > Many thanks, > -- > Arcady Genkin > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
R: Cert signed by own CA and IE
Show Certificate / Install Certificate. --- Cordiali saluti / Best regards Andrea Cerrito ^^ Net.Admin @ Centro MultiMediale di Terni S.p.A. P.zzale Bosco 3A 05100 Terni IT Tel. +39 744 5441330 Fax. +39 744 5441372 > -Messaggio originale- > Da: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]Per conto di Arcady Genkin > Inviato: mercoledi 16 maggio 2001 10.31 > A: [EMAIL PROTECTED] > Oggetto: Cert signed by own CA and IE > > > Connecting to a secure site with a certificate signed by own CA, IE > seems to provide no obvious way of permanently adding the cert to the > browser's configuration. As a result, a warning that "The security > certificate is issued by a company you have not chosen to trust..." is > displayed every time I'm trying to establish a connection. Is there a > fool-proof way to permanently add a certificate or tell IE that the CA > is to be trusted? > > Any pointers highly appreciated, > -- > Arcady Genkin > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]