Problem:
Client Certificates made by openssl, are not listed in the certificate
dialog box of the browser (especially IE).
Reason:
¯¯¯
If you contact the secure Orionserver with Client-Authentication needed, you
get a list of allowed DN-Strings in the Form:
---
Acceptable client certificate CA names
/C=DE/ST=Germany/L=Koeln/O=ixmid Software Technologie
GmbH/OU=Certificate Authority/CN=ixmid [EMAIL PROTECTED]
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte/OU=Certificate
Services/CN=Personal Freemail RSA 2000.8.30
---
you can verify this with:
openssl s_client -connect localhost:443 -prexit
The Browser (specially: IE) searches for all Client Certficates with this
Issuers
In your local Client Certificate you will find an Issuer-entry like
E = [EMAIL PROTECTED]
CN = factory.ixmid.com
OU = Certficate Factory
O = ixmid Software Technologie GmbH
L = Koeln
S = NRW
C = DE
So you get an mismatch between "E=" and "Email=" and the browser can't find
your client certificate
All Thawte/Verisign-Certificates work, because these issuers doesn't have an
"Email"-entry.
Simple Solution:
Your CA shouldn't have an Email-entry. Make a new CA without it.
Better Solution:
orion should reply the "Acceptable client certificate CA names" with E=
instead of Email=
I hope this helps.
Matthias Schmitt
---
ixmid Software Technologie GmbH
[EMAIL PROTECTED]
http://www.ixmid.com
Eichendorffstr. 32
50825 Köln
