Problems with FF cert that works on IE and Opera

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Problems with FF cert that works on IE and Opera

Brian_Fox-2

I have created a chain of certificates as follows:
A Self signed CA certificate
A server certificate

A client certificate:
openssl genrsa -des3 -out client.key 4096

Client sign request:
openssl req -new -key client.key -out client.csr

I signed the CSR with my CA:
openssl x509 -req -days 365 -in client.csr -CA STCCA.crt -CAkey STCCA.key -set_serial 01 -out client.crt

I then exported the crt to pcks12:
openssl pkcs12 -export -in client.crt -out client.p12 -inkey client.key -name "Subversion"

I can import and use this certificate successfully using IE and Opera. This certificate fails for "unknown reasons" when I import with Firefox 1.0.7 and 1.5. I tried exporting the CA certificate just for the heck of it using the same command and this certificate imports correctly. What is going on? I suspected the certificate was broken until it worked in IE. Then I suspected the format was wrong until I exported the CA certificate the same way and it worked. Please bring some sanity to my crazy world. Thanks
Brian Fox
Reply | Threaded
Open this post in threaded view
|

RE: Problems with FF cert that works on IE and Opera

Andrew Teklemariam
One possible reason: nsCertType.  Firefox requires a 'server' key usage to use it as a server cert.
nsCertType = server, email, ...
-andrew
 
 


From: [hidden email] [mailto:[hidden email]] On Behalf Of [hidden email]
Sent: Wednesday, January 25, 2006 3:02 PM
To: [hidden email]
Subject: Problems with FF cert that works on IE and Opera


I have created a chain of certificates as follows:
A Self signed CA certificate
A server certificate

A client certificate:
openssl genrsa -des3 -out client.key 4096

Client sign request:
openssl req -new -key client.key -out client.csr

I signed the CSR with my CA:
openssl x509 -req -days 365 -in client.csr -CA STCCA.crt -CAkey STCCA.key -set_serial 01 -out client.crt

I then exported the crt to pcks12:
openssl pkcs12 -export -in client.crt -out client.p12 -inkey client.key -name "Subversion"

I can import and use this certificate successfully using IE and Opera. This certificate fails for "unknown reasons" when I import with Firefox 1.0.7 and 1.5. I tried exporting the CA certificate just for the heck of it using the same command and this certificate imports correctly. What is going on? I suspected the certificate was broken until it worked in IE. Then I suspected the format was wrong until I exported the CA certificate the same way and it worked. Please bring some sanity to my crazy world. Thanks
Brian Fox
Reply | Threaded
Open this post in threaded view
|

Re: Problems with FF cert that works on IE and Opera

Kyle Hamilton
Why is this legacy issue still around?

-Kyle H

On 1/25/06, Andrew Teklemariam <[hidden email]> wrote:

>
> One possible reason: nsCertType.  Firefox requires a 'server' key usage to
> use it as a server cert.
> nsCertType = server, email, ...
> -andrew
>
>
>
>  ________________________________
>  From: [hidden email]
> [mailto:[hidden email]] On Behalf Of [hidden email]
> Sent: Wednesday, January 25, 2006 3:02 PM
> To: [hidden email]
> Subject: Problems with FF cert that works on IE and Opera
>
>
>
> I have created a chain of certificates as follows:
> A Self signed CA certificate
> A server certificate
>
> A client certificate:
> openssl genrsa -des3 -out client.key 4096
>
> Client sign request:
> openssl req -new -key client.key -out client.csr
>
> I signed the CSR with my CA:
> openssl x509 -req -days 365 -in client.csr -CA STCCA.crt -CAkey STCCA.key
> -set_serial 01 -out client.crt
>
> I then exported the crt to pcks12:
> openssl pkcs12 -export -in client.crt -out client.p12 -inkey client.key
> -name "Subversion"
>
> I can import and use this certificate successfully using IE and Opera. This
> certificate fails for "unknown reasons" when I import with Firefox 1.0.7 and
> 1.5. I tried exporting the CA certificate just for the heck of it using the
> same command and this certificate imports correctly. What is going on? I
> suspected the certificate was broken until it worked in IE. Then I suspected
> the format was wrong until I exported the CA certificate the same way and it
> worked. Please bring some sanity to my crazy world. Thanks
> Brian Fox
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problems with FF cert that works on IE and Opera

Brian_Fox-2
In reply to this post by Brian_Fox-2

I tried recreating the key with ncCertType=server,client,email and I get the same issue.



Brian Fox/stc

01/25/2006 06:02 PM

To
[hidden email]
cc
Subject
Problems with FF cert that works on IE and Opera




I have created a chain of certificates as follows:
A Self signed CA certificate
A server certificate

A client certificate:
openssl genrsa -des3 -out client.key 4096

Client sign request:
openssl req -new -key client.key -out client.csr

I signed the CSR with my CA:
openssl x509 -req -days 365 -in client.csr -CA STCCA.crt -CAkey STCCA.key -set_serial 01 -out client.crt

I then exported the crt to pcks12:
openssl pkcs12 -export -in client.crt -out client.p12 -inkey client.key -name "Subversion"

I can import and use this certificate successfully using IE and Opera. This certificate fails for "unknown reasons" when I import with Firefox 1.0.7 and 1.5. I tried exporting the CA certificate just for the heck of it using the same command and this certificate imports correctly. What is going on? I suspected the certificate was broken until it worked in IE. Then I suspected the format was wrong until I exported the CA certificate the same way and it worked. Please bring some sanity to my crazy world. Thanks
Brian Fox

Reply | Threaded
Open this post in threaded view
|

Re: Problems with FF cert that works on IE and Opera

Dr. Stephen Henson
In reply to this post by Brian_Fox-2
On Wed, Jan 25, 2006, [hidden email] wrote:

> I have created a chain of certificates as follows:
> A Self signed CA certificate
> A server certificate
>
> A client certificate:
> openssl genrsa -des3 -out client.key 4096
>
> Client sign request:
> openssl req -new -key client.key -out client.csr
>
> I signed the CSR with my CA:
> openssl x509 -req -days 365 -in client.csr -CA STCCA.crt -CAkey STCCA.key
> -set_serial 01 -out client.crt
>
> I then exported the crt to pcks12:
> openssl pkcs12 -export -in client.crt -out client.p12 -inkey client.key
> -name "Subversion"
>
> I can import and use this certificate successfully using IE and Opera.
> This certificate fails for "unknown reasons" when I import with Firefox
> 1.0.7 and 1.5. I tried exporting the CA certificate just for the heck of
> it using the same command and this certificate imports correctly. What is
> going on? I suspected the certificate was broken until it worked in IE.
> Then I suspected the format was wrong until I exported the CA certificate
> the same way and it worked. Please bring some sanity to my crazy world.

Use the CA.pl script instead of manualy calling the 'x509' command. Though if
you use OpenSSL 0.9.8 use CA.pl from a recent snapshot because there is a bug
in the release version.

As it stands there are several possible problems. You don't say how you
created the CA certificate: it may have invalid or no extensions.

The end user certificate above will have no extensions and be a V1
certificate with the above command.

You are explicitly setting the serial number to 1. If the root CA certificate
also has the serial number 1 or the certificate database has another
certificate form the same CA with the serial number 1 you'll get a duplicate
serial number conflict.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problems with FF cert that works on IE and Opera

Brian_Fox-2

I see CA.pl.in and CA.pl.prod in the snapshot distribution. Do I need to build this to get the right pl file or can I just rename it and replace what I have? I'm using .9.8a
 
Brian Fox



"Dr. Stephen Henson" <[hidden email]>
Sent by: [hidden email]

01/26/2006 06:50 AM

Please respond to
[hidden email]

To
[hidden email]
cc
Subject
Re: Problems with FF cert that works on IE and Opera





On Wed, Jan 25, 2006, [hidden email] wrote:

> I have created a chain of certificates as follows:
> A Self signed CA certificate
> A server certificate
>
> A client certificate:
> openssl genrsa -des3 -out client.key 4096
>
> Client sign request:
> openssl req -new -key client.key -out client.csr
>
> I signed the CSR with my CA:
> openssl x509 -req -days 365 -in client.csr -CA STCCA.crt -CAkey STCCA.key
> -set_serial 01 -out client.crt
>
> I then exported the crt to pcks12:
> openssl pkcs12 -export -in client.crt -out client.p12 -inkey client.key
> -name "Subversion"
>
> I can import and use this certificate successfully using IE and Opera.
> This certificate fails for "unknown reasons" when I import with Firefox
> 1.0.7 and 1.5. I tried exporting the CA certificate just for the heck of
> it using the same command and this certificate imports correctly. What is
> going on? I suspected the certificate was broken until it worked in IE.
> Then I suspected the format was wrong until I exported the CA certificate
> the same way and it worked. Please bring some sanity to my crazy world.

Use the CA.pl script instead of manualy calling the 'x509' command. Though if
you use OpenSSL 0.9.8 use CA.pl from a recent snapshot because there is a bug
in the release version.

As it stands there are several possible problems. You don't say how you
created the CA certificate: it may have invalid or no extensions.

The end user certificate above will have no extensions and be a V1
certificate with the above command.

You are explicitly setting the serial number to 1. If the root CA certificate
also has the serial number 1 or the certificate database has another
certificate form the same CA with the serial number 1 you'll get a duplicate
serial number conflict.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Problems with FF cert that works on IE and Opera

Brian_Fox-2
In reply to this post by Dr. Stephen Henson

I started over using the CA.pl. Not only was that quite a bit easier, but it works now too. Thanks for the help.