Date: Mon, 3 Jun 2002 17:29:51 -0700 From: Ulf Zimmermann <ulf@Alameda.net> To: Ulf Zimmermann <ulf@Alameda.net> Cc: James <oneiros@darkspire.net>, freebsd-isp@freebsd.org Subject: Re: SSL certificates Message-ID: <20020603172951.N54093@seven.alameda.net> In-Reply-To: <20020603142308.M54093@seven.alameda.net>; from ulf@Alameda.net on Mon, Jun 03, 2002 at 02:23:08PM -0700 References: <20020603000526.GA5542@stardust.darkspire.net> <Pine.LNX.4.41.0206030749300.1748-100000@opium.co.za> <20020603065649.GA7504@stardust.darkspire.net> <20020603142308.M54093@seven.alameda.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jun 03, 2002 at 02:23:08PM -0700, Ulf Zimmermann wrote: > On Mon, Jun 03, 2002 at 01:56:50AM -0500, James wrote: > > Thus spake Mark Bojara (mark@mics.co.za): > > > > > so do I have to have a physical link to a .pem file or can I use the > > > certificate on a SSL site and it will ask them to install it? > > > > A physical link will do the trick. For security purposes, clients > > should only accept a new CA certificate when it's explicitly requested, > > or is included in a pack with a client cert they're importing. > > > > Name it something like ca.crt, and make sure the content-type is set > > properly. Then they can go to http://something/path/to/ca.crt and > > their browser should take care of it automatically. Wheeee. > > > > To be safe, look for: > > AddType application/x-x509-ca-cert .crt > > in your apache config. > > > > If you'd like it to be something.pem, just pop in another AddType for > > it. > > > > HTH. > > > > -- > > James <oneiros@darkspire.net> A cat stalking near > > uri: http://oneiros.darkspire.net/ the Emperor's palace. A > > 1024D/62C2F77D crouching cat. A fox. > > Gotta ask if someone here knows what the problem could be. I created > a self signed CA on FreeBSD with OpenSSL 0.9.6a (included in -stable). > > Imported the ca.crt into Mozilla under FreeBSD (1.0 rc1). Signed a > SSL cert for a website, load that website into Mozilla, everything is > fine. > > Now I import the same CA.crt into Win2k IE 6, WinXP IE 6, WinXP Netscape > 6.2.3 and WinXP Mozilla 1.0 rc3. All say fine. Loading up the website > mentioned above, they all still say can't verify issuer of the cert. > > Opened up the view certificate in Mozilla/FBSD and Mozilla/WinXP, I > can't see a differece. Anyone got an idea what the problem might be ? > > -- > Regards, Ulf. > > --------------------------------------------------------------------- > Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204 > You can find my resume at: http://seven.Alameda.net/~ulf/resume.html I built openssl 0.9.6d from ports and generated a new CA. Now it all works. No idea if the newer openssl version did the trick or the new CA cert. -- Regards, Ulf. --------------------------------------------------------------------- Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204 You can find my resume at: http://seven.Alameda.net/~ulf/resume.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020603172951.N54093>