Re: problem:certificate from openssl to work with iplanet enterprise 5.5

[Dr. Stephen Henson]

On Mon, Dec 09, 2002, wen ding wrote:

> hi,
> 
> I try to use openssl to issue and manage certificates for internal usage.
> I generated CA ROOT certificate with utility from openssl and issued server 
> certificate signed by the CA ROOT. The server certificate and CA ROOT worked 
> very well with iplanet fasttrack 4.1, a early version web server from sun. 
> After that I tried to use it with iplanet enterprise 5.5, the server 
> certificate can be installed sucessfully. But the CA ROOT certificate can be 
> recognized by iplanet enterprise 5.5, but when I tried to add it, the system 
> failed with the message:
> "Incorrect Usage:Invalid certificate
> The server could not import one of the certificates".
> 
> I found all ROOT CA from commerical CA can cooperate well with iplanet 
> enterprise and in version field of all certificates from commericial CA 'V3' 
> indicates that X509 version 3. In all certificates issued from openssl, the 
> version field is filled with 'V1'. There are also other differences, such as 
> fields "issuing organization key id" and "subject key id" do not exist in 
> certificates from openssl.
> 
> Besides the problem as stated above, the crl generated from openssl either 
> can not work under iplanet enterprise and its version is also 'V1' while 
> revocation list from commericial product is 'V3'.
> 
> As i am a newbie in using openssl, i welcome anyone provide me with any 
> advice. Thanks in advance.
> 
> My email is [EMAIL PROTECTED]
> 
> Great thanks!
> 
> dingwen from China
> 

You haven't mentioned what technique you used to generate the certificates
with OpenSSL. If you'd used CA.pl (see manual page) it would create V3
certificates and include the extensions you mention.

OpenSSL by default creates V1 CRLs because some versions of Netscape chokes on
them. By adding extensions it can create a V2 CRL. Not sure what you mean by a
"V3 CRL" do you have an example you could post?

Steve.
--
Dr. Stephen Henson  [EMAIL PROTECTED]
OpenSSL Project http://www.openssl.org/~steve/
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

problem:certificate from openssl to work with iplanet enterprise 5.5

[wen ding]

hi,

I try to use openssl to issue and manage certificates for internal usage.
I generated CA ROOT certificate with utility from openssl and issued server 
certificate signed by the CA ROOT. The server certificate and CA ROOT worked 
very well with iplanet fasttrack 4.1, a early version web server from sun. 
After that I tried to use it with iplanet enterprise 5.5, the server 
certificate can be installed sucessfully. But the CA ROOT certificate can be 
recognized by iplanet enterprise 5.5, but when I tried to add it, the system 
failed with the message:
"Incorrect Usage:Invalid certificate
The server could not import one of the certificates".

I found all ROOT CA from commerical CA can cooperate well with iplanet 
enterprise and in version field of all certificates from commericial CA 'V3' 
indicates that X509 version 3. In all certificates issued from openssl, the 
version field is filled with 'V1'. There are also other differences, such as 
fields "issuing organization key id" and "subject key id" do not exist in 
certificates from openssl.

Besides the problem as stated above, the crl generated from openssl either 
can not work under iplanet enterprise and its version is also 'V1' while 
revocation list from commericial product is 'V3'.

As i am a newbie in using openssl, i welcome anyone provide me with any 
advice. Thanks in advance.

My email is [EMAIL PROTECTED]

Great thanks!

dingwen from China

_
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. 
http://join.msn.com/?page=features/virus
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]