On Friday 13 October 2006 08:21, BB wrote:
> > Are you able to post the certificate here? It sounds like the issue may
> > be the
> > key usage, or an entry in some other field - I've seen results like this
> > if
> > you don't have key agreement set, or some of the other fields mangled, or
> > particular security settings enabled in your certificate.

> Hi,
> Please find attached the CA cert and the server cert.
> I can successfully import the CA cert into IE, under Trusted Root
> Certification Authorities.
> If I download the server cert and open it from Windows (XP), it's
> description says:
> "This certification authority does not appear to be allowed to issue
> certificates or cannot be used as an end-entity certificate."

And that would most likely be your problem - the CA Certificate should have
the following extensions:

Basic Constraints: CA:TRUE
Key Usage: DigitalSignature, CertificateSign, CrlSign

If you re-gen your CA Certificate with those usages, and then re-sign your
Server certificate (which itself, should have the Key Usage extension set to
digital Signature and key Encipherment), your issue should go away

Patrick Patterson
President and Chief PKI Architect
Carillon Information Security Inc.
__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org