Dr Stephen Henson wrote:
> Tim,
>
> Comments below.
>
> Tim Pushor wrote:
> >
> > Hello,
> >
> > The subject says it all. I am using a combination of SSLeay 0.9.0, ca-fix,
> > and pkcs12 4.1 to attempt to generate a cert chain that will import into
> > MSIE 4.01 (US). I am obviously doing something wrong. This is what I am
> > doing:
> >
>
> > ca-fix -in newcert.pem -out testcert.pem -nscertype 0x20 -inkey
>
> A bit naughty that. I'd suggest you edit the nsCertType line in
> ssleay.cnf. Otherwise the certificates used differ from those in the CA
> directory. Also I'd suggest 0xa0 for SSL client and S/MIME.
Oh. Would it be a problem to edit the certs and stuff them back into the CA dir?
The problem is that I want to dynamically decide what attributes a cert is to
contain. Editing the file before generating a request is not a perfect situation
;-) As for the 0x20, I was grasping at straws. I tried 0xa0 initially and that
did not work either.
>
>
> > pkcs12 -chain -export -name "My Certificate" -in newcert.pem -inkey
> > newreq.pem -out test.p12
> >
> > This creates a pkcs12 object that works fine from communicator but not from
> > MSIE. I get that great old error message "Failed to import certificate".
> >
>
> Several possibilities. If you are using a 1024 bit key and haven't
> applied the domestic security patch and the manual registry fix in the
> FAQ. Otherwise I've known MSIE dislike the CA on occasions: try it
> without the -chain option.
>
I have the US version of Outlook98 and MSIE 4.01. The registry entry for the
Enhanced provider was not set, I did that manually. No luck.
I did everything I could think of reading your notes before posting. I know MSIE
is fussy about what attributes a cert contains after attemping to get V3.x
working with Apache SSL some time ago. I did manage to get that working. That is
why I am making sure I can get MSIE working properly before distributing my CA
cert..
I would like to add that this is my 3rd attempt at doing this all with different
values for all cert attributes, hoping to find something that MSIE would like. I
had to do this to get the SSL version working some time ago, but that was just
in testing, I did not save the CA (and was export strength).
> You may need to manually import the CA certificate into MSIE with:
>
> x509 -in cacert.pem -outform DER -out cacert.der
>
> transfer to the PC and double click on the file. MSIE should let you
> install the CA certificate and trust it. I'll add this to the FAQ in the
> next version. Alternatively you can link to the cacert.der file with a
> web page that returns MIME type application/x-x509-ca-cert.
>
Yes, I have done this. Not with this CA mind you..
> > Do I need to worry about the -MSIE-hack options to ca?
>
> Nope thats for something different.
>
> >
> > On another vein, if I want to be able to sign objects (Java applets in
> > particular) do I need to enable object signing on the ca AND on the cert? I
> > haven't played with this yet, but want to make sure my CA is ok for that as
> > well before deploying it to our organization.
> >
>
> Well the Netscape documentation suggests you need both so I'd stick with
> that. Netscape Communicator itself seems to only want the user
> certificate being set but that could change.
>
> On the subject of "deploying" the certificates. You should be aware of
> the fact that the PKCS#12 method is not advisable for generating
> certificates for other users: because you end up knowing their private
> keys. A better method is the server enrollment method where you can
> still install certificates but the users never disclose their private
> keys.
>
Yes, I am aware of this. I was simply rather amused that there may actually be a
means to generate a keypair and have it import into Netscape AND MSIE! and
wanted to check this out. I wanted to make sure my logic was not flawed as last
time I played with this stuff was pre-communicator and msie 4.x
Thanks for your comments,
Tim
+-------------------------------------------------------------------------+
| Administrative requests should be sent to [EMAIL PROTECTED] |
| List service provided by Open Software Associates, http://www.osa.com/ |
+-------------------------------------------------------------------------+
