I thought I'd add some experience on my part, even though I'm not
currently using SSLea. I got overruled by mgmt and am deploying a
Netscape version 1.1 CA in my organization (instead of what I wanted,
which was Entrust). I am having fairly good luck, though, in getting
Netscape-generated certs to work with Netscape 4.4 and up, MSIE 4.0 and
up, Outlook 98, and some plug-ins for mailers such as Eudora. We haven't
moved on yet to signing objects, but I don't anticipate problems there.
I've had to use the U.S. domestic versions of all the browsers, and I
always install the complete MSIE as opposed to upgrading the 40-bit
version to the 128-bit version. I also always patch the registry with the
"Enhanced" cryptographic base.
I don't like the way we give out certificates, but what we do is generate
the certificate with a Netscape browser on a dedicated system, we import
the certificate into that browser, then we export it to a file and give
that file to the user. The reason I don't like it is because of the
privacy aspect, however the plus side is that if users forget their
passwords or lose their certificate file, we can restore it for them.
And, this is a big plus since Netscape browsers handle CRLs poorly and I
haven't found that MSIE or Outlook 98 handle them at all.
So, we generate a .p12 file using 1024-bit keys and all the defaults - no
SHA-1. Users have been able to import them into MSIE as long as MSIE
trusts the Netscape CA first, which we do with the cacert.cac work-around
suggested by Netscape. Outlook 98, I have to say, provides the most
user-friendly method for looking up other's certificates.
What I'd like to get across is that this all works fairly well as long as
one is extremely careful about versions, patches, procedures, etc. My
organization is not very big, and I'd hesitate to do anything like this in
a larger organization, like over 1000 people. With a larger organization,
it might be better to forget the Microsoft products and stick solely with
Netscape.
My .02 cents,
John Wack
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Tim Pushor
Sent: Tuesday, June 02, 1998 6:41 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [ssl-users] Problems importing S/MIME cert into MSIE..
Dr Stephen Henson wrote:
> Tim,
>
> Comments below.
>
> Tim Pushor wrote:
> >
> > Hello,
> >
> > The subject says it all. I am using a combination of SSLeay 0.9.0,
ca-fix,
> > and pkcs12 4.1 to attempt to generate a cert chain that will import
into
> > MSIE 4.01 (US). I am obviously doing something wrong. This is what I
am
> > doing:
> >
>
> > ca-fix -in newcert.pem -out testcert.pem -nscertype 0x20 -inkey
>
> A bit naughty that. I'd suggest you edit the nsCertType line in
> ssleay.cnf. Otherwise the certificates used differ from those in the CA
> directory. Also I'd suggest 0xa0 for SSL client and S/MIME.
Oh. Would it be a problem to edit the certs and stuff them back into the
CA dir?
The problem is that I want to dynamically decide what attributes a cert is
to
contain. Editing the file before generating a request is not a perfect
situation
;-) As for the 0x20, I was grasping at straws. I tried 0xa0 initially and
that
did not work either.
>
>
> > pkcs12 -chain -export -name "My Certificate" -in newcert.pem -inkey
> > newreq.pem -out test.p12
> >
> > This creates a pkcs12 object that works fine from communicator but not
from
> > MSIE. I get that great old error message "Failed to import
certificate".
> >
>
> Several possibilities. If you are using a 1024 bit key and haven't
> applied the domestic security patch and the manual registry fix in the
> FAQ. Otherwise I've known MSIE dislike the CA on occasions: try it
> without the -chain option.
>
I have the US version of Outlook98 and MSIE 4.01. The registry entry for
the
Enhanced provider was not set, I did that manually. No luck.
I did everything I could think of reading your notes before posting. I
know MSIE
is fussy about what attributes a cert contains after attemping to get V3.x
working with Apache SSL some time ago. I did manage to get that working.
That is
why I am making sure I can get MSIE working properly before distributing
my CA
cert..
I would like to add that this is my 3rd attempt at doing this all with
different
values for all cert attributes, hoping to find something that MSIE would
like. I
had to do this to get the SSL version working some time ago, but that was
just
in testing, I did not save the CA (and was export strength).
> You may need to manually import the CA certificate into MSIE with:
>
> x509 -in cacert.pem -outform DER -out cacert.der
>
> transfer to the PC and double click on the file. MSIE should let you
> install the CA certificate and trust it. I'll add this to the FAQ in the
> next version. Alternatively you can link to the cacert.der file with a
> web page that returns MIME type application/x-x509-ca-cert.
>
Yes, I have done this. Not with this CA mind you..
> > Do I need to worry about the -MSIE-hack options to ca?
>
> Nope thats for something different.
>
> >
> > On another vein, if I want to be able to sign objects (Java applets in
> > particular) do I need to enable object signing on the ca AND on the
cert? I
> > haven't played with this yet, but want to make sure my CA is ok for
that as
> > well before deploying it to our organization.
> >
>
> Well the Netscape documentation suggests you need both so I'd stick with
> that. Netscape Communicator itself seems to only want the user
> certificate being set but that could change.
>
> On the subject of "deploying" the certificates. You should be aware of
> the fact that the PKCS#12 method is not advisable for generating
> certificates for other users: because you end up knowing their private
> keys. A better method is the server enrollment method where you can
> still install certificates but the users never disclose their private
> keys.
>
Yes, I am aware of this. I was simply rather amused that there may
actually be a
means to generate a keypair and have it import into Netscape AND MSIE! and
wanted to check this out. I wanted to make sure my logic was not flawed as
last
time I played with this stuff was pre-communicator and msie 4.x
Thanks for your comments,
Tim
+-------------------------------------------------------------------------
+
| Administrative requests should be sent to [EMAIL PROTECTED]
|
| List service provided by Open Software Associates, http://www.osa.com/
|
+-------------------------------------------------------------------------
+
smime.p7s
