UPDATE: We are now using the latest intermediate cert, since
the older intermediate cert, mentioned in this article, has expired on
January 7, 2004. So, the part of this web page about installing an older
cert is NO LONGER VALID.
Most of these problems were designed to deal with IE 5.0 on Windows 98.
A lot of those systems are still out there, so when our QA dept.
hit our site, these bugs would appear. Hopefully, the HipTips on
this page will save you some time and effort.
Problem 1: Old Versions of IE 5.0 on Windows 98 don't work with my cert
For some reason, the old versions of IE have a broken SSLv3. This problem
is described here: Mod SSL FAQ on IE Errors. I implemented the setting they recommended
(which was already in the Apache conf file).
I uncommented the following line, and everything worked:
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
Essentially, it just turns off Anonymous Diffie-Hellman (ADH), and the broken
56bit Export Cipher for the SSLv3 protocol.
Problem 2: The validity period of this certificate exceeds that of its certification authority
or more problems with old Versions of IE 5.0 on Windows 98 don't work with my cert
This one was really interesting. We were using a Verisign Global ID,
(which also has a few other names). At any rate, when we opened our
site in a fresh Win98 install, a dialog would pop up. When we opened
the dialog, it would indicate the above error with the cert.
Essentially, the root certificate that is shipped in IE 5.0/40 bit
expires in 2004. The new intermediate certificates that are issued
with Verisign Global ID's have an expire date of 2011.
IE decides that it has exceeded it's authority over the root
and calls foul. So, I went to Verisign's site, and they recommended
that people use the old cert or force users to upgrade.
The people at my office wanted to just 'make it work'. They
could go to their bank site, and it would work. (Note, it wouldn't
work with PayPal.) The trick was to get one of these older
intermediate certs that expires in 2004 rather than 2011.
So, at Verisign's site, I found an older cert. However, it was broken,
the cert had spaces in it. Here is what it looked like:
DON'T USE THIS ONE, IT WON'T WORK
-----BEGIN CERTIFICATE-----
MIIDhzCCAvCgAwIBAgIQfhQlq8GYwbnCvoO7qF7D4DANBgkqhkiG9w0BAQIFADBfMQswCQYD
VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVi
bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTcwNDE3MDAwMDAwWhcN
MDQwMTA3MjM1OTU5WjCBujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUG
A1UECxMOVmVyaVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwg
U2VydmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMgSW5j
b3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEA2IKA6NYZAn0fhRg5JaJlK G/1AXTvOY2O6rwTGxbtueqPHNFVbLx
veqXQu2aNAoV1Klc9UAl3dkHwTKydWzEyruj/lYncUOqY/UwPpMo5frxCTvzt01OOfdcSVq4
wR3Tsor cDCVQsv K1GLWjw6 SJPkLICp1OcTzTnqwSye28CAwEAAaOB5zCB5DAPBgNVHRME
CDAGAQH/AgEAMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHAQEwKjAoBggrBgEFBQcCARYcaHR0
cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzA1BgNVHR8ELjAsMCqgKKAmhiRodHRwOi8vY3Js
LnZlcmlzaWduLmNvbS9wY2EzLjEuMS5jcmwwNAYDVR0lBC0wKwYIKwYBBQUHAwEGCCsGAQUF
BwMCBglghkgBhvhCBAEGCmCGSAGG EUBCAEwCwYDVR0PBAQDAgEGMBEGCWCGSAGG EIBAQQE
AwIBBjANBgkqhkiG9w0BAQIFAAOBgQBWuHekqg8M7xFq4ceo bmWWgBJ2D/F1UE7fID3awNP
Mw3eB9DPWYx1xY8088gmm9AyXeBGrMvIUmsw63wFLC20KVJdvsqDfPpkliNtqPo5oj/Ww2cb
p7PC4K0PtwF9P7ChmAlpQdcXWq1Mrnkfkii/LzvbzgdS/qOkE1OY0wfa5w==
-----END CERTIFICATE-----
So, what was I going to do? The answer was to get a Cert
from semewhere else. Luckily, IE lets you export certs to
a file. So I exported the intermediate cert from Well's
Fargo (in x509 format) and placed in the right place for Apache. It worked
great.
-----BEGIN CERTIFICATE-----
MIIEMTCCA5qgAwIBAgIQI2yXHivGDQv5dGDe8QjDwzANBgkqhkiG9w0BAQIFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNOTcwNDE3MDAwMDAwWhcNMDQwMTA3MjM1OTU5WjCBujEfMB0GA1UEChMWVmVy
aVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVyaVNpZ24sIEluYy4xMzAx
BgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2VydmVyIENBIC0gQ2xhc3Mg
MzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMgSW5jb3JwLmJ5IFJlZi4g
TElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEA2IKA6NYZAn0fhRg5JaJlK+G/1AXTvOY2O6rwTGxbtueqPHNFVbLx
veqXQu2aNAoV1Klc9UAl3dkHwTKydWzEyruj/lYncUOqY/UwPpMo5frxCTvzt01O
OfdcSVq4wR3Tsor+cDCVQsv+K1GLWjw6+SJPkLICp1OcTzTnqwSye28CAwEAAaOC
AZAwggGMMA8GA1UdEwQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIB
AQQEAwIBBjAgBgNVHSUEGTAXBgpghkgBhvhFAQgBBglghkgBhvhCBAEwggE1BgNV
HSAEggEsMIIBKDCCASQGC2CGSAGG+EUBBwEBMIIBEzAoBggrBgEFBQcCARYcaHR0
cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzCB5gYIKwYBBQUHAgIwgdkwFRYOVmVy
aVNpZ24sIEluYy4wAwIBARqBv1ZlcmlTaWduJ3MgQ2VydGlmaWNhdGlvbiBQcmFj
dGljZSBTdGF0ZW1lbnQsIHd3dy52ZXJpc2lnbi5jb20vQ1BTLCBnb3Zlcm5zIHRo
aXMgY2VydGlmaWNhdGUgJiBpcyBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJlbmNlIGhl
cmVpbi4gU09NRSBXQVJSQU5USUVTIERJU0NMQUlNRUQgJiBMSUFCSUxJVFkgTFRE
LiAoYykxOTk3IFZlcmlTaWduMA0GCSqGSIb3DQEBAgUAA4GBALiMmMMrSPVyzWgN
GrN0Y7uxWLaYRSLsEY3HTjOLYlohJGyawEK0Rak6+2fwkb4YH9VIGZNrjcs3S4bm
fZv9jHiZ/4PC/NlVBp4xZkZ9G3hg9FXUbFXIaWJwfE22iQYFm8hDjswMKNXRjM1G
UOMxlmaSESQeSltLZl5lVR5fN5qu
-----END CERTIFICATE-----