ZServerSSL and Certificates

[Sean]

Hi,

I have been able to get ZServerSSL to work with the demo certs, and
with some self generated.  However I'm really not clear on
certificates in general, and we're about to try it with real certs
from a real CA.

What I'd like to find is some really clear documentation on
ZServerSSL.  What I have had to do is to try and interpret between the
general SSL certificate information sites and the ZServerSSL package.

What I did this last go-around was to snag CA.pl and visit
https://www.entrust.com/freecerts/ag_server_req.cfm

Step 3 requires a server certificate request (PKCS#10 request) 

Here's what I did:

# openssl -des3 -out privatekey 1024
# ./CA.pl -newreq

Which gave me newreq.pem, so I cut the text between the markers and
pasted it into the box, and submitted it.

Then I get two files back from the web site.

I believe that the first is the server cert, the second a ca cert.

So I take privatekey.pem and the ca cert and combine them into a
single file called ca.pem.

Then I:

# ./CA.pl -sign
# openssl rsa < newreq.pem > newkey.pem

and I combine the server cert and newkey.pem and call it server.pem.

I stop & restart the server, I get no errors from ZServerSSL.

However, when I try and access the site I get:

Microsoft IE6 first shows a request for a cert to use, I click OK to
bypass it then a warning dialog that the ca is not trusted.

Mozilla diaplays a panel warning that there are three potential
problems.

In either case if I ignore the warnings I get a secure connection.

I need to understand what I'm doing wrong here.

Please enlighten me!