server certs seem fine but generated client cert in Windows shows "Windows does not have enough information to verify" and yes, I have loaded the 'ca.der' file generated by the instructions on the Windows client and that installs in 'Trusted Root Authorities'. The 'client' cert seems to install in 'Other People', and does include the XPextensions stuff.
Craig
Craig, You have to install the root certificate and client certificate to the correct certificate store. You have two options - the machine store or the personal certificate store of your current Windows user. The personal certificate store is probably what you want. Double click the client certificate, select "install certificate" and choose "Place the certificate in the following store". Select the "Personal" certificate store. That should solve your problem. Jason -- Jason Wittlin-Cohen Yale Law School, Class of 2010 jason.wittlin-cohen@yale.edu
On Wed, 2008-12-10 at 19:32 -0500, Jason Wittlin-Cohen wrote:
server certs seem fine but generated client cert in Windows shows "Windows does not have enough information to verify" and yes, I have loaded the 'ca.der' file generated by the instructions on the Windows client and that installs in 'Trusted Root Authorities'. The 'client' cert seems to install in 'Other People', and does include the XPextensions stuff.
Craig
Craig,
You have to install the root certificate and client certificate to the correct certificate store. You have two options - the machine store or the personal certificate store of your current Windows user. The personal certificate store is probably what you want.
Double click the client certificate, select "install certificate" and choose "Place the certificate in the following store". Select the "Personal" certificate store. That should solve your problem.
Thanks...I sort of thought so but this has been a frustrating experience and I'm not that dumb. Is it normal for this 'client' certificate to show "Windows does not have enough information to verify this certificate" when you view it? I did take the 'ca.der' and that is loaded in 'Trusted Root Authorities' and seems to be happy there but the client certificate, even newly generated from the scripts and the new Makefile from Ivan still shows that warning. It seems possible to me that the certificate provided by the server should provide the link between the CA certificate and the client certificate installed on the Windows client and make it happy but I haven't gotten this to work right - at least consistently. Craig
Is it normal for this 'client' certificate to show "Windows does not have enough information to verify this certificate" when you view it?
No. Click on the details and see who is the issuer - server or ca. You should give users .p12 certificates which can't be installed without a password used to create them. They can be viewed once they are installed.
I did take the 'ca.der' and that is loaded in 'Trusted Root Authorities' and seems to be happy there but the client certificate, even newly generated from the scripts and the new Makefile from Ivan still shows that warning. It seems possible to me that the certificate provided by the server should provide the link between the CA certificate and the client certificate installed on the Windows client and make it happy but I haven't gotten this to work right - at least consistently.
Link between them exists when ca is the issuer. It is listed in client certificate details. In theory, it is better for server certificate ti issue client certificates. In practice, Windows won't recongnize intermediate CA role for server certificate. Ivan Kalik Kalik Informatika ISP
participants (3)
-
Craig White -
Jason Wittlin-Cohen -
tnt@kalik.net