On Friday 13 October 2006 08:21, BB wrote:
> > Are you able to post the certificate here? It sounds like the issue may
> > be the
> > key usage, or an entry in some other field - I've seen results like this
> > if
> > you don't have key agreement set, or some of the other fields mangled, or
> > particular security settings enabled in your certificate.

>
> Hi,
>
> Please find attached the CA cert and the server cert.
>
> I can successfully import the CA cert into IE, under Trusted Root
> Certification Authorities.
>
> If I download the server cert and open it from Windows (XP), it's
> description says:
>
> "This certification authority does not appear to be allowed to issue
> certificates or cannot be used as an end-entity certificate."
>

And that would most likely be your problem - the CA Certificate should have
the following extensions:

Basic Constraints: CA:TRUE
Key Usage: DigitalSignature, CertificateSign, CrlSign

If you re-gen your CA Certificate with those usages, and then re-sign your
Server certificate (which itself, should have the Key Usage extension set to
digital Signature and key Encipherment), your issue should go away


--
Patrick Patterson
President and Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org