For info. MSIE6 xenroll problems. Solved.

2003-06-06 Thread Andrew Brady 
Not strictly openssl related but posted here anyway. If
anyone can recommend a better place to post this, I would
appreciate it.
Around the middle of May a number of my users started
being unable to apply for certificates from my web based
certificate authority using MSIE6.
I duplicated this with MSIE6sp1 on Windows2000 and could find
no apparent reason. The xenroll would not instanciate in IE
no matter what I tried (even the simple example from the
MS devnet site). Having had similar problems before, I
suspected that it could be a problem with the xenroll
itself.
As I could not find anything specifically refering to new
problems, I resorted to installing likely patches. One of
the following patches corrected the problems on my MS PC:
  811630
  818529
  329115
  323172
Any users having problems applying for user certificates
using the Microsoft xenroll who are using Microsoft Internet
Explorer version 6 should be advised that it may not work
without upgrading the client with the above "critical"
Microsoft patches available from:
  http://windowsupdate.microsoft.com/

--
Andy Brady  Email : [EMAIL PROTECTED]
Web Services GroupTel : +44(0)118 9499252
E.C.M.W.F.Fax : +44(0)118 9869450
Shinfield Park, Reading, RG2 9AX  Web : http://www.ecmwf.int/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

MSIE4 cert problem [was: Using MS xenroll with uid in DN]

1999-01-16 Thread Andrew Brady 

Andrew Brady wrote:
> 
> I am settting up a Certificate Enrollment web page
> that allows MS IE (an netscape) users to request and
> obtain a certificate automatically.
> 
> I have to include the uid in the DN to support
> some applications that already exist here.
> 
> The Microsoft Certificate Enrollment Control
> creates a PKCS10 object using CreatePKCS10
> which takes as arguments DN and an OID.
> 
> This quite happily accepts arguments when the
> DN is constructed of attributes that are acceptable
> to it, but if I use uid, it fails with an error.
> The xenroll documentation specifies that the DN must
> be a valid X500 name (I have looked and I cannot find
> anything that tells me if uid is valid).
> 

MY WORK AROUND
==

I have decided, unless anyone can give me a strong reason
why not, to, for MSIE certificates, to place the uid in
the CN attribute. e.g.:

  C=EU, O=ECMWF, CN=Andy Brady (myuid)[EMAIL PROTECTED]

This will force any local app programmers to write code
specifically to parse the uid out of the CN, if the
uid attribute does not exist. If at a future date
I can include uid, no app code needs to change.

NEXT PROBLEM


So I now have an SSL client cert that works in Netscape (4.7)
and MSIE5 but does not work in MSIE4.

MSIE4 appears to accept the certificate and places it in
the certificate database. Unfortunately it does not show
it in it's list under View->Internet Options->Content->Personal.

The certificate is there though as certmgr sees it.

If I try to connect to a suitable SSL site that expects client
auth, I get an empty listbox from which MSIE4 expects me
to pick a certificate to use. This works fine from Netscape
and MSIE5. The SSL server is providing the correct acceptable
CA list. Is there something wrong with the certificate that
MSIE4 gets? Is it missing some vital ingredient so that it
can be used as an ssl client cert.

An x509 example cert and dummy CA is attached.

Any hints would be most welcome.

Andy

PS Thanks to Stephen Henson. Your site is very useful.

--
Andy Brady  Email : [EMAIL PROTECTED]
Web Services GroupTel : +44(0)118 9499252
E.C.M.W.F.Fax : +44(0)118 9869450
Shinfield Park, Reading, RG2 9AX  Web : http://www.ecmwf.int

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 25 (0x19)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=EU, O=ECMWF, CN=Test [EMAIL PROTECTED]
Validity
Not Before: Nov 18 17:54:58 1999 GMT
Not After : Nov 28 17:54:58 1999 GMT
Subject: C=EU, O=ECMWF, CN=Andrew Brady (syb)[EMAIL PROTECTED]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:cb:58:14:8d:47:1c:01:b8:79:51:01:65:c3:ef:
e6:e0:3e:70:5a:aa:8f:72:b9:62:e5:02:ce:f3:ea:
fe:71:6c:90:08:9b:54:85:66:2e:4c:69:86:a2:76:
23:6d:45:12:fd:59:9e:be:c3:40:51:a9:84:60:08:
b2:83:59:6f:dd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: 
CA:FALSE
Netscape Cert Type: 
SSL Client
X509v3 Key Usage: 
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Key Identifier: 
E3:E3:B8:AB:12:68:FD:20:CE:8D:DB:EB:EB:CC:6D:EB:51:F3:F8:0C
X509v3 Authority Key Identifier: 
keyid:2E:AF:C0:67:E5:2A:5E:47:8A:32:FC:00:5E:C2:99:EF:A2:97:33:D2
DirName:/C=EU/O=ECMWF/CN=Test [EMAIL PROTECTED]
serial:00

Netscape CA Revocation Url: 
https://w3cert.ecmwf.int/CA/ecmwf-crl.pem
Netscape Base Url: 
https://w3cert.ecmwf.int/CA/
Netscape Revocation Url: 
https://w3cert.ecmwf.int/CA/ecmwf-crl.pem
Netscape Renewal Url: 
https://w3cert.ecmwf.int/CA/renewal.html
Netscape CA Policy Url: 
https://w3cert.ecmwf.int/CA/policy.html
Netscape Comment: 
OpenSSL Generated Certificate, Signed by ECMWF root Certificate 
Authority, https://w3cert.ecmwf.int/
Signature Algorithm: md5WithRSAEncryption
33:80:52:09:a7:73:33:82:6c:a3:c5:72:1a:4d:61:63:01:42:
4c:1e:a2:3a:bb:59:3b:6b:82:e0:e8:7c:18:77:fb:27:a5:dd:
b8:e3:ce:42:46:8c:57:92:fd:64:aa:96:20:84:44:3b:02:13:
d9:04:17:b8:02:94:03:ff:29:28
-BEGIN CERTIFICATE-
MIID7TCCA5egAwIBAgIBGTANBgkqhkiG9w0BAQQFADBNMQswCQYDVQQGEwJFVTEO
MAwGA1UEChMFRUNNV0YxEDAOBgNVBAMTB1Rlc3QgQ0ExHDAaBgkqhkiG9w0BCQEW
DXN5YkBlY213Zi5pbnQwHhcNOTkxMTE4MTc1NDU4WhcNOTkxMTI4MTc1ND