ZServerSSL and Certificates
jmeile at hotmail.com
Thu Aug 5 18:38:55 CEST 2004
> I have been able to get ZServerSSL to work with the demo certs, and
> with some self generated. However I'm really not clear on
> certificates in general, and we're about to try it with real certs
> from a real CA.
I'm not a guru either, but I guess I know what your problem is. By the
way, if I were you, I would try to use apache+mod_ssl+mod_rewrite
instead of m2crypto. I have heard apache is faster than the later and
you won't have ZServer exposed to the world. If you want more info about
this, search the zope mailing list on list.zope.org.
> What I did this last go-around was to snag CA.pl and visit
I haven't tried it, but it looks good.
> So I take privatekey.pem and the ca cert and combine them into a
> single file called ca.pem.
> Then I:
> # ./CA.pl -sign
> # openssl rsa < newreq.pem > newkey.pem
> and I combine the server cert and newkey.pem and call it server.pem.
I think more or less that's why I did.
> However, when I try and access the site I get:
> Microsoft IE6 first shows a request for a cert to use, I click OK to
> bypass it then a warning dialog that the ca is not trusted.
> Mozilla diaplays a panel warning that there are three potential
> In either case if I ignore the warnings I get a secure connection.
> I need to understand what I'm doing wrong here.
Perhaps the Common Name (CA) of your cert isn't the same as the url of
your website. Check this on the cert properties on the certificate
manager of Mozilla.
Other problem could be that "entrust.com" isn't listed as Trusted Root
Certification Authority (Look on the certificate manager of mozila or
IE). I only found "entrust.net". I guess the certificates generated by
this website aren't intended for business. I think that if you want your
certificate to be sign by some well known CA, you have to pay. Anyway,
the warning is not bad. It depends on your needs.
More information about the Python-list