Garry Glendown wrote:
I guess I'm finally cracking up ...
Aren't we all :-)
After messing around some time ago and finally getting a working CA up
and running, I somehow did something today that blew that (even though
all files in the CA-directory are unchanged ...)
Anyway, no matter what I do in order to get it running again, all
Netscape does is complain about not being able to get the page due to
the certificate being incorrect ("the certificate is not approved for
the attempted application") or a broken transmission ... the server
currently complains about one of two possible errors:
OK the usual reason for this is an invalid value for nsCertType. If
should be 0x40 for SSL server certificates or omitted entirely.
I'm pretty sure the reason for this lies somewhere in the nsCertType
field ... but I've tried just about any combination I could think of for
the last several hours .. (including commenting it out).So, could
someone please give me a hint what the field has to be when generating
the CA and what when generating "regular" Certs? (I guess I might have
messed it up when I generated a cert-req for a Thawte test cert ...)
Did you just comment out the field in ssleay.cnf? The actual value in
there only gets set in a certificate when the 'ca' program signs a
request. Normally it isn't used at all. Also the certificate request
doesn't contain a nsCertType field so that can't be it :-)
If you just want to change or experiment with the nsCertType extension
then my ca-fix program (see homepage) is probably easiest.
If you are still having problems send me a copy of the certificate and
CA certificate and I'll check it over.
Steve.
--
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant.
For info see homepage at http://www.drh-consultancy.demon.co.uk/
Email: shenson(_at_)drh-consultancy(_dot_)demon(_dot_)co(_dot_)uk
PGP key: via homepage.