From owner-freebsd-isp Mon Jun 3 17:29:57 2002 Delivered-To: freebsd-isp@freebsd.org Received: from seven.Alameda.net (seven.Alameda.net [64.81.63.137]) by hub.freebsd.org (Postfix) with ESMTP id E442F37B400 for ; Mon, 3 Jun 2002 17:29:51 -0700 (PDT) Received: by seven.Alameda.net (Postfix, from userid 1000) id 9F71D3A201; Mon, 3 Jun 2002 17:29:51 -0700 (PDT) Date: Mon, 3 Jun 2002 17:29:51 -0700 From: Ulf Zimmermann To: Ulf Zimmermann Cc: James , freebsd-isp@freebsd.org Subject: Re: SSL certificates Message-ID: <20020603172951.N54093@seven.alameda.net> Reply-To: ulf@Alameda.net References: <20020603000526.GA5542@stardust.darkspire.net> <20020603065649.GA7504@stardust.darkspire.net> <20020603142308.M54093@seven.alameda.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020603142308.M54093@seven.alameda.net>; from ulf@Alameda.net on Mon, Jun 03, 2002 at 02:23:08PM -0700 Organization: Alameda Networks, Inc. X-Operating-System: FreeBSD 4.4-STABLE Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 03, 2002 at 02:23:08PM -0700, Ulf Zimmermann wrote: > On Mon, Jun 03, 2002 at 01:56:50AM -0500, James wrote: > > Thus spake Mark Bojara (mark@mics.co.za): > > > > > so do I have to have a physical link to a .pem file or can I use the > > > certificate on a SSL site and it will ask them to install it? > > > > A physical link will do the trick. For security purposes, clients > > should only accept a new CA certificate when it's explicitly requested, > > or is included in a pack with a client cert they're importing. > > > > Name it something like ca.crt, and make sure the content-type is set > > properly. Then they can go to http://something/path/to/ca.crt and > > their browser should take care of it automatically. Wheeee. > > > > To be safe, look for: > > AddType application/x-x509-ca-cert .crt > > in your apache config. > > > > If you'd like it to be something.pem, just pop in another AddType for > > it. > > > > HTH. > > > > -- > > James A cat stalking near > > uri: http://oneiros.darkspire.net/ the Emperor's palace. A > > 1024D/62C2F77D crouching cat. A fox. > > Gotta ask if someone here knows what the problem could be. I created > a self signed CA on FreeBSD with OpenSSL 0.9.6a (included in -stable). > > Imported the ca.crt into Mozilla under FreeBSD (1.0 rc1). Signed a > SSL cert for a website, load that website into Mozilla, everything is > fine. > > Now I import the same CA.crt into Win2k IE 6, WinXP IE 6, WinXP Netscape > 6.2.3 and WinXP Mozilla 1.0 rc3. All say fine. Loading up the website > mentioned above, they all still say can't verify issuer of the cert. > > Opened up the view certificate in Mozilla/FBSD and Mozilla/WinXP, I > can't see a differece. Anyone got an idea what the problem might be ? > > -- > Regards, Ulf. > > --------------------------------------------------------------------- > Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204 > You can find my resume at: http://seven.Alameda.net/~ulf/resume.html I built openssl 0.9.6d from ports and generated a new CA. Now it all works. No idea if the newer openssl version did the trick or the new CA cert. -- Regards, Ulf. --------------------------------------------------------------------- Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204 You can find my resume at: http://seven.Alameda.net/~ulf/resume.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message