ZServerSSL and Certificates

[Josef Meile]

Hi Sean,

> Hi,
> 
> I have been able to get ZServerSSL to work with the demo certs, and
> with some self generated.  However I'm really not clear on
> certificates in general, and we're about to try it with real certs
> from a real CA.
I'm not a guru either, but I guess I know what your problem is. By the 
way, if I were you, I would try to use apache+mod_ssl+mod_rewrite 
instead of m2crypto. I have heard apache is faster than the later and 
you won't have ZServer exposed to the world. If you want more info about 
this, search the zope mailing list on list.zope.org.

> What I did this last go-around was to snag CA.pl and visit
> https://www.entrust.com/freecerts/ag_server_req.cfm
I haven't tried it, but it looks good.

> So I take privatekey.pem and the ca cert and combine them into a
> single file called ca.pem.
> 
> Then I:
> 
> # ./CA.pl -sign
> # openssl rsa < newreq.pem > newkey.pem
> 
> and I combine the server cert and newkey.pem and call it server.pem.
I think more or less that's why I did.

> However, when I try and access the site I get:
> 
> Microsoft IE6 first shows a request for a cert to use, I click OK to
> bypass it then a warning dialog that the ca is not trusted.
> 
> Mozilla diaplays a panel warning that there are three potential
> problems.
> 
> In either case if I ignore the warnings I get a secure connection.
> 
> I need to understand what I'm doing wrong here.
Perhaps the Common Name (CA) of your cert isn't the same as the url of 
your website. Check this on the cert properties on the certificate 
manager of Mozilla.

Other problem could be that "entrust.com" isn't listed as Trusted Root 
Certification Authority (Look on the certificate manager of mozila or 
IE). I only found "entrust.net". I guess the certificates generated by 
this website aren't intended for business. I think that if you want your 
certificate to be sign by some well known CA, you have to pay. Anyway, 
the warning is not bad. It depends on your needs.

Regards,
Josef