[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ssl-users
Subject:    Re: [ssl-users] cert, key password queries
From:       Kaur Virunurm <Kaur.Virunurm () hansa ! ee>
Date:       1999-02-04 15:04:06
[Download RAW message or body]

> 1) Why doesn't NS like my cert?
1) Does the browser trust the CA who has issued the server cert?
Accept the CA cert into your browser and see if anything changes.

2) Is the cert type correct (nscerttype extension)? 
The same for the CA that issued the server cert? 
(Check the nscerttype values from ca-fix documentation, I think
that SSL server was 0x40 and SSL CA 0x04)

3) If you use your generated server cert with, say, Apache,
does it work? Does Netscape connect to it, or does it complain?


> 2) The default cert for s_server, server.pem, does not cause s_server
> to prompt for a PEM password. How is that done?
Means that the private key in the server.pem is not password-protected.
Have a look at the server.pem, see if there is the private key section 
in it and try to print it out (does rsa -in server.pem prompt for password?
Probably does not.)

To do the same, convert your server's private key into unprotected form:
rsa -in serverkey.pem -out new_serverkey.pem will put unencrypted key
into the second file. (If you _want_ encryption, use rsa -des3).

Of course, having unencrypted private keys in files is a security risk.

Kaur
+-------------------------------------------------------------------------+
| Administrative requests should be sent to majordomo@lists.cryptsoft.com |
| List service provided by Open Software Associates, http://www.osa.com/  |
+-------------------------------------------------------------------------+

[prev in list] [next in list] [prev in thread] [next in thread]