This is a discussion on Re: Encrypted page would not load into IE - modssl ; On Friday 13 October 2006 08:21, BB wrote: > > Are you able to post the certificate here? It sounds like the issue may > > be the > > key usage, or an entry in some other field - ...
On Friday 13 October 2006 08:21, BB wrote:
> > Are you able to post the certificate here? It sounds like the issue may
> > be the
> > key usage, or an entry in some other field - I've seen results like this
> > if
> > you don't have key agreement set, or some of the other fields mangled, or
> > particular security settings enabled in your certificate.
> Please find attached the CA cert and the server cert.
> I can successfully import the CA cert into IE, under Trusted Root
> Certification Authorities.
> If I download the server cert and open it from Windows (XP), it's
> description says:
> "This certification authority does not appear to be allowed to issue
> certificates or cannot be used as an end-entity certificate."
And that would most likely be your problem - the CA Certificate should have
the following extensions:
Basic Constraints: CA:TRUE
Key Usage: DigitalSignature, CertificateSign, CrlSign
If you re-gen your CA Certificate with those usages, and then re-sign your
Server certificate (which itself, should have the Key Usage extension set to
digital Signature and key Encipherment), your issue should go away
President and Chief PKI Architect
Carillon Information Security Inc.
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List firstname.lastname@example.org
Automated List Manager email@example.com