Re: Newbie question - Signing CSR's

2003-08-23 Thread Dr. Stephen Henson
On Thu, Aug 21, 2003, Rohan Pinto wrote: I have a SunONE WebServer 6.0 running on a certain subnet. (www.abcd.com - for this example) The Webserver serves content over http. I intend to protect this content via PDC authentication. To do so, I'd need 2 things. 1. A Server Cert 2. A User

Re: Newbie question - Signing CSR's

2003-08-22 Thread Charles B Cranston
Dr. Stephen Henson wrote: On Fri, Aug 22, 2003, Charles B Cranston wrote: Well, the sad answer to this question is yes. It turns out that in the design of SSL the client does the verification, so each client has its own little set of peccadillos. Indeed but if the OP means that you need a

Re: Newbie question - Signing CSR's

2003-08-22 Thread Dr. Stephen Henson
On Fri, Aug 22, 2003, Charles B Cranston wrote: Dr. Stephen Henson wrote: These are some of the ones we found: Netscape 4 will not tolerate an ExtendedKeyUsage extension. Hmmm. What makes you think that? EKU is *required* to handle step up (aka SGC, magic, 128 bit [yuck]) and Netscape 4

Re: Newbie question - Signing CSR's

2003-08-22 Thread Charles B Cranston
Continuation of a dialog between Dr. Stephen Henson and Charles B Cranston: B: These are some of the ones we found: B: Netscape 4 will not tolerate an ExtendedKeyUsage extension. S: Hmmm. What makes you think that? EKU is *required* to handle step up S: (aka SGC, magic, 128 bit [yuck]) and

Re: Newbie question - Signing CSR's

2003-08-22 Thread Charles B Cranston
Well, I took dumps of the two certificates (and CSR) that Rohan provided, and the dates overlap, which might be the IE specific problem. At first it looked like the subject DNs were exactly the same between the two certificates, but upon closer examination the subject DN for the server certificate

Re: Newbie question - Signing CSR's

2003-08-22 Thread Dr. Stephen Henson
On Fri, Aug 22, 2003, Charles B Cranston wrote: Continuation of a dialog between Dr. Stephen Henson and Charles B Cranston: B: These are some of the ones we found: B: Netscape 4 will not tolerate an ExtendedKeyUsage extension. S: Hmmm. What makes you think that? EKU is *required* to

Re: Newbie question - Signing CSR's

2003-08-22 Thread Charles B Cranston
Based on a dialog that said unknown critical extension I've never seen that dialog on Netscape, though I've seen IE produce it. What I'm saying is that stepup uses EKU (among other things) to identify its certificates Netscape 4.[something] did support stepup so presumably it at least partially

Re: Newbie question - Signing CSR's

2003-08-22 Thread Dr. Stephen Henson
On Fri, Aug 22, 2003, Charles B Cranston wrote: Based on a dialog that said unknown critical extension I've never seen that dialog on Netscape, though I've seen IE produce it. What I'm saying is that stepup uses EKU (among other things) to identify its certificates Netscape 4.[something]

Re: Newbie question - Signing CSR's

2003-08-21 Thread Charles B Cranston
Message - From: Charles B Cranston [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 12:21 PM Subject: Re: Newbie question - Signing CSR's Rohan Pinto wrote: I wrote What you need to do is: 1. create a root certificate 2. install that root certificate into all your web browsers

Re: Newbie question - Signing CSR's (picture enclosed)

2003-08-20 Thread Rohan Pinto
- From: Charles B Cranston [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 12:50 PM Subject: Re: Newbie question - Signing CSR's (picture enclosed) Sometimes a picture is worth a thousand words: The Standard Model of Certificate generation: On the server machine: Generate

Re: Newbie question - Signing CSR's (picture enclosed)

2003-08-20 Thread Dr. Stephen Henson
On Wed, Aug 20, 2003, Rohan Pinto wrote: So... if the CASr has been generated and the CSR has been sent to the CA (running openssl) whats the command (in openssl) to sign this CSR ?? anything on the lines of.. ./openssl -some parameters- request.CSR -some parameters-

Re: Newbie question - Signing CSR's

2003-08-20 Thread Rohan Pinto
cacert.srl, but I never specified this filename, any insight on this Rohan - Original Message - From: Charles B Cranston [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 12:21 PM Subject: Re: Newbie question - Signing CSR's Rohan Pinto wrote: I wrote What you need to do

Re: Newbie question - Signing CSR's

2003-08-19 Thread Dr. Stephen Henson
On Tue, Aug 19, 2003, Rohan Pinto wrote: This is the part that i would need help on. I have created a root certificate, I've imported that into all my web browsers and also on the webserver. I have also crested a cSR from the webserver. I dont know how to sign the CSR If I could get some

Re: Newbie question - Signing CSR's

2003-08-19 Thread Charles B Cranston
Rohan Pinto wrote: I wrote What you need to do is: 1. create a root certificate 2. install that root certificate into all your web browsers 3. create a CSR on the server 4. use the root to sign that CSR into a server certificate This is the part that i would need help on. I have created a root

Re: Newbie question - Signing CSR's (picture enclosed)

2003-08-19 Thread Charles B Cranston
Sometimes a picture is worth a thousand words: The Standard Model of Certificate generation: On the server machine: Generate CSR operation +-+ +-+ | Private Key | | Certificate Signing Request | +--+--+ |