Verisign CA cert problem

Verisign CA cert problem

am 19.05.2004 18:46:32 von Bill MacAllister

Hello,

I am having problems with a brand new Verisign 128 bit certificate that has
just be purchased. I have installed the certificate and the intermediate
CA cert on an Apache 1.3.31/mod_ssl 2.8.17/openssl 0.9.7d instance.

What I am seeing is the Netscape and Mozilla connect to the site just fine.
When I connect to the site with IE 6 the security window pops up telling be
that the certificate has either expired or is not valid yet. When I look
at the certificate the intermediate CA cert that IE is using is the expired
cert that was installed with IE. I tried removing the old intermediate CA
cert from IE altogether and it still will not load the intermediate CA cert
from my server.

I am not really sure what to try at this point. Oh, yes, Verisign support
has been pretty much useless.

Help suggestions will be greatly appreciated.

Bill

+---------------------------------------------------
| Bill MacAllister
| 14219 Auburn Road
| Grass Valley, CA 95949
| 530-272-8555
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Verisign CA cert problem

am 19.05.2004 19:50:44 von Christopher McCrory

On Wed, 2004-05-19 at 09:46, Bill MacAllister wrote:
> Hello,
>
> I am having problems with a brand new Verisign 128 bit certificate that has
> just be purchased. I have installed the certificate and the intermediate
> CA cert on an Apache 1.3.31/mod_ssl 2.8.17/openssl 0.9.7d instance.
>

Did you get a new intermediate cert (intermediate.crt) from Verisign
also? This also goes in the apache config. directions somewhere on
verisigns site.


> What I am seeing is the Netscape and Mozilla connect to the site just fine.
> When I connect to the site with IE 6 the security window pops up telling be
> that the certificate has either expired or is not valid yet. When I look
> at the certificate the intermediate CA cert that IE is using is the expired
> cert that was installed with IE. I tried removing the old intermediate CA
> cert from IE altogether and it still will not load the intermediate CA cert
> from my server.
>
> I am not really sure what to try at this point. Oh, yes, Verisign support
> has been pretty much useless.
>
> Help suggestions will be greatly appreciated.
>
> Bill
>
> +---------------------------------------------------
> | Bill MacAllister
> | 14219 Auburn Road
> | Grass Valley, CA 95949
> | 530-272-8555
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
--
Christopher McCrory
"The guy that keeps the servers running"

chrismcc@pricegrabber.com
http://www.pricegrabber.com

Let's face it, there's no Hollow Earth, no robots, and
no 'mute rays.' And even if there were, waxed paper is
no defense. I tried it. Only tinfoil works.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Verisign CA cert problem

am 19.05.2004 20:36:01 von Bill MacAllister

--On Wednesday, May 19, 2004 10:50:44 AM -0700 Christopher McCrory
wrote:

> On Wed, 2004-05-19 at 09:46, Bill MacAllister wrote:
>> Hello,
>>
>> I am having problems with a brand new Verisign 128 bit certificate that
>> has just be purchased. I have installed the certificate and the
>> intermediate CA cert on an Apache 1.3.31/mod_ssl 2.8.17/openssl 0.9.7d
>> instance.
>>
>
> Did you get a new intermediate cert (intermediate.crt) from Verisign
> also? This also goes in the apache config. directions somewhere on
> verisigns site.

Yes. The only certificate that has ever been on my servers is the new CA
cert.

Actually there are multiple references on the Versign site:

http://www.verisign.com/support/install/apache/v00Mod.html#g lobal
http://www.verisign.com/support/site/caReplacement.html

Of course, while both describe the same issue they suggest slightly
different Apache directives. Respectively the two suggestions are:

SSLCertificateFile /etc/ssl/crt/public.crt
SSLCertificateKeyFile /etc/ssl/crt/private.key
SSLCertificateChainFile /etc/ssl/crt/intermediate.crt

and

SSLCACertificateFile /etc/ssl/crt/intermediate.crt

I have tried both and neither method works for IE.

Bill

>
>> What I am seeing is the Netscape and Mozilla connect to the site just
>> fine. When I connect to the site with IE 6 the security window pops up
>> telling be that the certificate has either expired or is not valid yet.
>> When I look at the certificate the intermediate CA cert that IE is
>> using is the expired cert that was installed with IE. I tried removing
>> the old intermediate CA cert from IE altogether and it still will not
>> load the intermediate CA cert from my server.
>>
>> I am not really sure what to try at this point. Oh, yes, Verisign
>> support has been pretty much useless.
>>
>> Help suggestions will be greatly appreciated.
>>
>> Bill
>>
>> +---------------------------------------------------
>> | Bill MacAllister
>> | 14219 Auburn Road
>> | Grass Valley, CA 95949
>> | 530-272-8555
>> ____________________________________________________________ __________
>> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>> User Support Mailing List modssl-users@modssl.org
>> Automated List Manager majordomo@modssl.org
> --
> Christopher McCrory
> "The guy that keeps the servers running"
>
> chrismcc@pricegrabber.com
> http://www.pricegrabber.com
>
> Let's face it, there's no Hollow Earth, no robots, and
> no 'mute rays.' And even if there were, waxed paper is
> no defense. I tried it. Only tinfoil works.
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org



+---------------------------------------------------
| Bill MacAllister
| 14219 Auburn Road
| Grass Valley, CA 95949
| 530-272-8555
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org