[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-isp
Subject: Re: SSL certificates
From: Ulf Zimmermann <ulf () Alameda ! net>
Date: 2002-06-04 0:29:51
[Download RAW message or body]
On Mon, Jun 03, 2002 at 02:23:08PM -0700, Ulf Zimmermann wrote:
> On Mon, Jun 03, 2002 at 01:56:50AM -0500, James wrote:
> > Thus spake Mark Bojara (mark@mics.co.za):
> >
> > > so do I have to have a physical link to a .pem file or can I use the
> > > certificate on a SSL site and it will ask them to install it?
> >
> > A physical link will do the trick. For security purposes, clients
> > should only accept a new CA certificate when it's explicitly requested,
> > or is included in a pack with a client cert they're importing.
> >
> > Name it something like ca.crt, and make sure the content-type is set
> > properly. Then they can go to http://something/path/to/ca.crt and
> > their browser should take care of it automatically. Wheeee.
> >
> > To be safe, look for:
> > AddType application/x-x509-ca-cert .crt
> > in your apache config.
> >
> > If you'd like it to be something.pem, just pop in another AddType for
> > it.
> >
> > HTH.
> >
> > --
> > James <oneiros@darkspire.net> A cat stalking near
> > uri: http://oneiros.darkspire.net/ the Emperor's palace. A
> > 1024D/62C2F77D crouching cat. A fox.
>
> Gotta ask if someone here knows what the problem could be. I created
> a self signed CA on FreeBSD with OpenSSL 0.9.6a (included in -stable).
>
> Imported the ca.crt into Mozilla under FreeBSD (1.0 rc1). Signed a
> SSL cert for a website, load that website into Mozilla, everything is
> fine.
>
> Now I import the same CA.crt into Win2k IE 6, WinXP IE 6, WinXP Netscape
> 6.2.3 and WinXP Mozilla 1.0 rc3. All say fine. Loading up the website
> mentioned above, they all still say can't verify issuer of the cert.
>
> Opened up the view certificate in Mozilla/FBSD and Mozilla/WinXP, I
> can't see a differece. Anyone got an idea what the problem might be ?
>
> --
> Regards, Ulf.
>
> ---------------------------------------------------------------------
> Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204
> You can find my resume at: http://seven.Alameda.net/~ulf/resume.html
I built openssl 0.9.6d from ports and generated a new CA. Now it all
works. No idea if the newer openssl version did the trick or the
new CA cert.
--
Regards, Ulf.
---------------------------------------------------------------------
Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204
You can find my resume at: http://seven.Alameda.net/~ulf/resume.html
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic