Re: X.509 cert not exporting CA chain?

Thanks - there were indeed 2 certs, so I deleted one.

No problem.

openssl s_client -connect 66.166.204.121:8443 -showcerts
CONNECTED(00000003)
depth=2 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Freemail CA/emailAddress=personal-freemail@xxxxxxxxxx
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/SN=Shenhar/GN=Ran/CN=Ran Shenhar/emailAddress=ran.shenhar@xxxxxxxxxxxx
i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte Personal Freemail Issuing CA
<snipped>

FF3 gives me Error code: sec_error_untrusted_issuer, IE7 won't even connect.
Any ideas?

Yes. The certificate is not intended to be used as server certificate but to encrypt/sign e-mails. So for example the server name is not in the CN field of the certificate subject.

The certificate might be usable for code signing (which was as far as I know your original intention), but not as server certificate.

So in case you need SSL connectivity, you need to obtain a server certificate from for example Verisign or GoDaddy or so. In case you don't need SSL, you can make your JavaWS application accessible via HTTP and still use the Thawte certificate to sign the application code.

One additional note: Your Thawte certificate does not contain a key usage or extended key usage extension which is usually used to specify the purpose of the certificate, i.e. if you're allowed to use it for client or server authentication (for SSL) or if you're allowed to use it for code signing (for example for JavaWS). I don't know, if JavaWS accepts it for code signing, you have to test that. There might be even differences between Java 5 and Java 6, as for example Java 6 is explicitly checking the code signing flag in the extended key usage extension now as far as I know. As this extension is not present at all it might work - or not.

Ronny

.

Relevant Pages

  • Re: Windows Mobile + https + clientcertificates?
    ... You can also make use of SSL through lower level interfaces ... the server certificate on the test server is ... the client certificate, and the server certificate error handling options, ...
    (microsoft.public.windowsce.app.development)
  • Re: Radius for Wirelesss help
    ... I solved my PEAP cert problem by following the directions exactly. ... >> "A certificate could not be found that can be used with this ... > server certificate that you configured is not configured properly for use ... > Using Microsoft Windows" at ...
    (microsoft.public.internet.radius)
  • Re: Radius for Wirelesss help
    ... > "A certificate could not be found that can be used with this ... cert generated as per directions ... server certificate that you configured is not configured properly for use ... "Network access authentication and certificates" in Windows Server 2003 IAS ...
    (microsoft.public.internet.radius)
  • Re: SSL & "All Unassigned"
    ... - Was the Web server certificate part of an export or import process? ... - Were any changes made to the IIS computer or Web site while a certificate ... Unassigned) and SSL port.NOTE: If the SSL port is blank, ...
    (microsoft.public.inetserver.iis.security)
  • RE: Third-party certificate cant be imported?
    ... At somepoint the CEICW wizards allows you to select a server certificate ... The reason, as it turned out, is that the wizard apparently needs to see ... I was able to resolve this matter myself. ...
    (microsoft.public.windows.server.sbs)