hi, maybe this i the problem, i believe it is not signed by same CA certificate. I am a bit confused about this :) How can i know what i should write in SSLCACertificateFile ? ________________________________________ Fra: fred-users-bounces(a)lists.nic.cz [fred-users-bounces(a)lists.nic.cz] På vegne af Vitezslav Novy [vnovy(a)vnovy.net] Sendt: 12. marts 2009 14:03 Til: fred-users(a)lists.nic.cz Emne: Re: certificate Petur Kirke wrote: Is new certifikate signed by same CA certificate as old one? If not, did you changed certificate in file pointed by apache directive SSLCACertificateFile ?? v. _______________________________________________ Fred-users mailing list Fred-users(a)lists.nic.cz https://lists.nic.cz/mailman/listinfo/fred-users This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient or authorized to receive information for the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. If the email contains proposals, they are valid for 30 days following the date of email transmission. Finally, the recipient should check this email and any attachment for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by email.

Petur Kirke wrote: In file /verisign.crt should be CA certificate by which is your new fred-client certificate signed. You should also update certificate fingerprint in registraracl table. v.

Petur Kirke wrote: openssl x509 -in <certificate file> -fingerprint v.

but i need one real certificate for ssl on my website too could i put the REEL one in httpd.conf, and the one you recommend in fred-client.conf ? ________________________________________ Fra: fred-users-bounces(a)lists.nic.cz [fred-users-bounces(a)lists.nic.cz] P&#229; vegne af Jaromír Talíř [jaromir.talir(a)nic.cz] Sendt: 12. marts 2009 15:36 Til: fred-users(a)lists.nic.cz Emne: Re: SV: certificate Petur Kirke píše v Čt 12. 03. 2009 v 15:17 +0000: This is not OK. In this configuration your client certificates must be signed by verisign. If you don't care about certificates, put there this: # SSL configuration SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2: +EXP SSLVerifyClient require SSLCertificateFile /usr/share/fred-mod-eppd/ssl/test-cert.pem SSLCertificateKeyFile /usr/share/fred-mod-eppd/ssl/test-key.pem SSLCACertificateFile /usr/share/fred-mod-eppd/ssl/test-cert.pem Providing that you installed fred-mod-eppd-2.1.0 by combination Otherwise unpack this certificate from packages, put it somewhere and update path in SLL* options. test-[cert,key] is self signed certificate with long (10 years) validity. It can be used as a CA certificate and also as a client certificate (it's self-signed). Default installation of fred-client is packed with this certificate. Regards, Jaromir This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient or authorized to receive information for the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. If the email contains proposals, they are valid for 30 days following the date of email transmission. Finally, the recipient should check this email and any attachment for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by email.

Thanks, i solved the problem I had to correct the fingerprint again in registraracl table. Now everyting is working and fine. Thanks for your help. :) Petur ________________________________________ Fra: Petur Kirke Sendt: 13. marts 2009 11:33 Til: fred-users(a)lists.nic.cz Emne: SV: SV: certificate I changed certificate files in fred-client.conf to these: /usr/share/fred-mod-eppd/ssl/test-cert.pem /usr/share/fred-mod-eppd/ssl/test-key.pem and finally it seems like my certificate is working but now fred-client tells me im not connected: ----------------------------------------- [root@fred ~]# fred-client FredClient 1.6.1 Type "help", "license" or "credits" for more information. Using configuration from /etc/fred/fred-client.conf You are not connected. ---------------------------------------- What is wrong ? Or how do i connect ? Petur ________________________________________ Fra: fred-users-bounces(a)lists.nic.cz [fred-users-bounces(a)lists.nic.cz] P&#229; vegne af Jaromír Talíř [jaromir.talir(a)nic.cz] Sendt: 12. marts 2009 15:36 Til: fred-users(a)lists.nic.cz Emne: Re: SV: certificate Petur Kirke píše v Čt 12. 03. 2009 v 15:17 +0000: > Does this look ok or not: > SSLCertificateFile /fred.crt > SSLCertificateKeyFile /verisign.key > #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt > SSLCACertificateFile /verisign.crt This is not OK. In this configuration your client certificates must be signed by verisign. If you don't care about certificates, put there this: # SSL configuration SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2: +EXP SSLVerifyClient require SSLCertificateFile /usr/share/fred-mod-eppd/ssl/test-cert.pem SSLCertificateKeyFile /usr/share/fred-mod-eppd/ssl/test-key.pem SSLCACertificateFile /usr/share/fred-mod-eppd/ssl/test-cert.pem Providing that you installed fred-mod-eppd-2.1.0 by combination Otherwise unpack this certificate from packages, put it somewhere and update path in SLL* options. test-[cert,key] is self signed certificate with long (10 years) validity. It can be used as a CA certificate and also as a client certificate (it's self-signed). Default installation of fred-client is packed with this certificate. Regards, Jaromir > ________________________________________ > Fra: fred-users-bounces(a)lists.nic.cz [fred-users-bounces(a)lists.nic.cz] P&#229; vegne af Vitezslav Novy [vnovy(a)vnovy.net] > Sendt: 12. marts 2009 14:03 > Til: fred-users(a)lists.nic.cz > Emne: Re: certificate > Petur Kirke wrote: > > I tried to install a new certificate, but this gives me this error: > > > ERROR: socket.sslerror: (1, 'error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca') (localhost:700) > > Certificate not signed by verified certificate authority. > > > Any certificate specialist there ? :) > Is new certifikate signed by same CA certificate as old one? > If not, did you changed certificate in file pointed by apache directive > SSLCACertificateFile ?? > v. > _______________________________________________ > Fred-users mailing list > Fred-users(a)lists.nic.cz > https://lists.nic.cz/mailman/listinfo/fred-users > This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed. > If you are not the intended recipient or authorized to receive information for the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. If the email contains proposals, they are valid for 30 days following the date of email transmission. Finally, the recipient should check this email and any attachment for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by email. > _______________________________________________ > Fred-users mailing list > Fred-users(a)lists.nic.cz > https://lists.nic.cz/mailman/listinfo/fred-users This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient or authorized to receive information for the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. If the email contains proposals, they are valid for 30 days following the date of email transmission. Finally, the recipient should check this email and any attachment for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by email.