Problem: ŻŻŻŻŻŻŻŻ Client Certificates made by openssl, are not listed in the certificate dialog box of the browser (especially IE). Reason: ŻŻŻŻŻŻŻ If you contact the secure Orionserver with Client-Authentication needed, you get a list of allowed DN-Strings in the Form: --- Acceptable client certificate CA names /C=DE/ST=Germany/L=Koeln/O=ixmid Software Technologie GmbH/OU=Certificate Authority/CN=ixmid [EMAIL PROTECTED] /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte/OU=Certificate Services/CN=Personal Freemail RSA 2000.8.30 --- you can verify this with: openssl s_client -connect localhost:443 -prexit The Browser (specially: IE) searches for all Client Certficates with this Issuers In your local Client Certificate you will find an Issuer-entry like E = [EMAIL PROTECTED] CN = factory.ixmid.com OU = Certficate Factory O = ixmid Software Technologie GmbH L = Koeln S = NRW C = DE So you get an mismatch between "E=" and "Email=" and the browser can't find your client certificate All Thawte/Verisign-Certificates work, because these issuers doesn't have an "Email"-entry. Simple Solution: ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ Your CA shouldn't have an Email-entry. Make a new CA without it. Better Solution: ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ orion should reply the "Acceptable client certificate CA names" with E= instead of Email= I hope this helps. Matthias Schmitt ----------------------------------------------- ixmid Software Technologie GmbH [EMAIL PROTECTED] http://www.ixmid.com Eichendorffstr. 32 50825 Köln