------=_Part_504_21757856.1200588337235
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Thanks, I don't know what extensions are. I runned that command and it shows
this extensions:

X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME, Object Signing
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
84:C9F:56:82:E7:B9:2A:A5:3F:EB:E2:7B:E0:F0:B7:B8:5C:F1: EA
X509v3 Authority Key Identifier:

keyid:3B:5E:C9:05:88:E2:13:3A:26:A0D:3F:22:9D:55:12:35:71:B0:1D

Are they right?



2008/1/17, Marek.Marcola@malkom.pl :
>
> Hello,
> > I enabled https in my website on a Tomcat server.
> >
> > I created with openSSL the CA, I singed my web certificate and I added

> the certifie of
> > my CA in IE and Firefox. With IE 6 and 7 it run successfull securely,

> but with firefox
> > and netscape it shows this error acceder perfectamente a la web de forma

> segura, pero
> > con firefox y netscape me muestra este error: " cannot establish

> encrypted connection to
> > the web server because the certificate is invalid or corrupted: Error

> Code -8101 "
> >
> > Do you know what is the problem?

> You may try look at your certificate extension with command:
> $ openssl x509 -in cert.pem -text -noout
>
> Extensions are checked by Firefox and enforced.
> If you will not have required extensions or you will have
> to many extension in your certificate Firefox may treat this
> certificate as invalid.
>
> For example you may have certificate with extensions:
> ....
> X509v3 Key Usage:
> Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
> ....
> which is valid.
>
> But if you will have for some reason certificate:
> ....
> X509v3 Key Usage:
> Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
> X509v3 Extended Key Usage:
> Code Signing
> ....
> then Firefox will treat this certificate as invalid.
>
> Best regards,
> --
> Marek Marcola
>
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org
>


------=_Part_504_21757856.1200588337235
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Thanks, I don't know what extensions are. I runned that command and it shows this extensions:

        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:

                SSL Client, S/MIME, Object Signing
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                84:C9F:56:82:E7:B9:2A:A5:3F:EB:E2:7B:E0:F0:B7:B8:5C:F1: EA

            X509v3 Authority Key Identifier:
                keyid:3B:5E:C9:05:88:E2:13:3A:26:A0D:3F:22:9D:55:12:35:71:B0:1D

Are they right?



2008/1/17,
Marek.Marcola@malkom.pl <Marek.Marcola@malkom.pl>:

Hello,
> I enabled https in my website on a Tomcat server.
>
> I created with openSSL the CA, I singed my web certificate and I added
the certifie of
> my CA in IE and Firefox. With IE 6 and 7  it run successfull securely,

but with firefox
> and netscape it shows this error acceder perfectamente a la web de forma
segura, pero
> con firefox y netscape me muestra este error: " cannot establish
encrypted connection to

> the web server because the certificate is invalid or corrupted: Error
Code -8101 "
>
> Do you know what is the problem?
You may try look at your certificate extension with command:
$ openssl x509 -in
cert.pem -text -noout

Extensions are checked by Firefox and enforced.
If you will not have required extensions or you will have
to many extension in your certificate Firefox may treat this
certificate as invalid.


For example you may have certificate with extensions:
....
   X509v3 Key Usage:
      Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
....
which is valid.

But if you will have for some reason certificate:

....
   X509v3 Key Usage:
      Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
   X509v3 Extended Key Usage:
      Code Signing
....
then Firefox will treat this certificate as invalid.


Best regards,
--
Marek Marcola <Marek.Marcola@malkom.pl>

__________________________________________________ ____________________
OpenSSL Project                                
http://www.openssl.org
User Support Mailing List                    penssl-users@openssl.org">openssl-users@openssl.org
Automated List Manager                          
majordomo@openssl.org



------=_Part_504_21757856.1200588337235--
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org