After consulting Clifford Heath's excellent page
(http://www.osa.com.au/~cjh/software/crypto/) on client certificate management,
I was able to get the signing and issuing of Netscape
client certificates up and running. Unfortunately, signing MSIE 4 client
certificate was not so easy. For one thing, MSIE 4 now uses xenroll.dll to
generate public/private keypair instead of certenr3.dll.
After some more research, I found Martin Ouwehand's wonderful page
(http://cognac.epfl.ch/SIC/SL/CA/) on setting up your own CA, and he has scripts
that handles MSIE 4 client certificates. With his scripts, I managed to generate
a client certificate request on MSIE 4. I proceed to use Ouwehand's script to
sign it, but I am getting "signature verification problems" using either SSLeay
0.8.1 or 0.9.0.
The CSR in PEM form is as follows:
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=XY, ST=AnyState, L=AnyCity, O=Org Inc., OU=Computing, CN=Grog
[EMAIL PROTECTED]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (511 bit)
Modulus (511 bit):
72:29:44:62:57:99:02:39:12:68:62:3f:dc:37:1b:
1d:e0:81:b8:ac:c9:7b:90:2f:4d:30:b2:1f:17:8d:
85:5e:70:39:84:58:24:f6:0f:6e:bd:5f:ca:1c:c6:
15:53:50:ed:ff:f3:99:1b:4e:b8:c1:4f:ad:73:34:
90:65:f8:0f
Exponent: 65537 (0x10001)
Attributes:
1.3.6.1.4.1.311.2.1.14 :unable to print attribute
Signature Algorithm: UNKNOWN
50:e3:7c:42:d7:40:82:f2:f2:40:fd:ff:00:53:cb:d6:e3:66:
1b:05:12:ca:9b:4e:ea:74:bf:d2:d9:6f:e6:c0:80:41:b5:e6:
0a:c7:b7:db:45:33:88:5f:e5:fb:b9:ea:54:15:85:6b:6b:66:
50:c8:d6:c5:cf:a9:ef:1b:bb:a4
-----BEGIN CERTIFICATE REQUEST-----
MIIBgDCCAS4CAQAwgZIxCzAJBgNVBAYTAlhZMREwDwYDVQQIEwhBbnlTdGF0ZTEQ
MA4GA1UEBxMHQW55Q2l0eTERMA8GA1UEChMIT3JnIEluYy4xEjAQBgNVBAsTCUNv
bXB1dGluZzEUMBIGA1UEAxMLR3JvZyBHb2JsaW4xITAfBgkqhkiG9w0BCQEWEmdv
YmxpbkBpc3IudW1kLmVkdTBbMA0GCSqGSIb3DQEBAQUAA0oAMEcCQHIpRGJXmQI5
EmhiP9w3Gx3ggbisyXuQL00wsh8XjYVecDmEWCT2D269X8ocxhVTUO3/85kbTrjB
T61zNJBl+A8CAwEAAaA3MDUGCisGAQQBgjcCAQ4xJzAlMA4GA1UdDwEB/wQEAwIB
ODATBgNVHSUEDDAKBggrBgEFBQcDAjAJBgUrDgMCHQUAA0EAUON8QtdAgvLyQP3/
AFPL1uNmGwUSyptO6nS/0tlv5sCAQbXmCse320UziF/l+7nqVBWFa2tmUMjWxc+p
7xu7pA==
-----END CERTIFICATE REQUEST-----
Note that the Signature Algorithm is UNKNOWN.
I don't have the latest MSIE 4.01 either; could that be part of the
problem?
Any ideas or suggestions would be greatly appreciated.
Leon Poon
+-------------------------------------------------------------------------+
| Administrative requests should be sent to [EMAIL PROTECTED] |
| List service provided by Open Software Associates, http://www.osa.com/ |
+-------------------------------------------------------------------------+
