From owner-freebsd-isp Mon Jun 3 14:23:16 2002 Delivered-To: freebsd-isp@freebsd.org Received: from seven.Alameda.net (seven.Alameda.net [64.81.63.137]) by hub.freebsd.org (Postfix) with ESMTP id 8FE0537B401 for ; Mon, 3 Jun 2002 14:23:08 -0700 (PDT) Received: by seven.Alameda.net (Postfix, from userid 1000) id 4A09F3A201; Mon, 3 Jun 2002 14:23:08 -0700 (PDT) Date: Mon, 3 Jun 2002 14:23:08 -0700 From: Ulf Zimmermann To: James Cc: freebsd-isp@freebsd.org Subject: Re: SSL certificates Message-ID: <20020603142308.M54093@seven.alameda.net> Reply-To: ulf@Alameda.net References: <20020603000526.GA5542@stardust.darkspire.net> <20020603065649.GA7504@stardust.darkspire.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020603065649.GA7504@stardust.darkspire.net>; from oneiros@darkspire.net on Mon, Jun 03, 2002 at 01:56:50AM -0500 Organization: Alameda Networks, Inc. X-Operating-System: FreeBSD 4.4-STABLE Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 03, 2002 at 01:56:50AM -0500, James wrote: > Thus spake Mark Bojara (mark@mics.co.za): > > > so do I have to have a physical link to a .pem file or can I use the > > certificate on a SSL site and it will ask them to install it? > > A physical link will do the trick. For security purposes, clients > should only accept a new CA certificate when it's explicitly requested, > or is included in a pack with a client cert they're importing. > > Name it something like ca.crt, and make sure the content-type is set > properly. Then they can go to http://something/path/to/ca.crt and > their browser should take care of it automatically. Wheeee. > > To be safe, look for: > AddType application/x-x509-ca-cert .crt > in your apache config. > > If you'd like it to be something.pem, just pop in another AddType for > it. > > HTH. > > -- > James A cat stalking near > uri: http://oneiros.darkspire.net/ the Emperor's palace. A > 1024D/62C2F77D crouching cat. A fox. Gotta ask if someone here knows what the problem could be. I created a self signed CA on FreeBSD with OpenSSL 0.9.6a (included in -stable). Imported the ca.crt into Mozilla under FreeBSD (1.0 rc1). Signed a SSL cert for a website, load that website into Mozilla, everything is fine. Now I import the same CA.crt into Win2k IE 6, WinXP IE 6, WinXP Netscape 6.2.3 and WinXP Mozilla 1.0 rc3. All say fine. Loading up the website mentioned above, they all still say can't verify issuer of the cert. Opened up the view certificate in Mozilla/FBSD and Mozilla/WinXP, I can't see a differece. Anyone got an idea what the problem might be ? -- Regards, Ulf. --------------------------------------------------------------------- Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204 You can find my resume at: http://seven.Alameda.net/~ulf/resume.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message