Hi Robert,<br><br><div><span class="gmail_quote">On 10/4/06, <b class="gmail_sendername">Robert Segall</b> &lt;<a href="mailto:roseg@apsis.ch">roseg@apsis.ch</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>Most likely your browser doesn't know to send the required certificate;<br>it probably receives some values in the CAlist which do not match<br>anything in its certificate store. Try using ClientCert 3 9 (just to be<br>
on the safe side) and no CAlist at all just to see if you receive some<br>certificate.</blockquote><div><br>I tried ClientCert 3 9 with no CAlist and got the same response. Even using openssl s_client I can't see the client certificate being sent.
<br><br>Digging around, I think I know what the problem is but don't have enough knowledge of CA certs to configure Pound. <br><br>Briefly, I found that the CA I'm using [1] created a new CA certificate in August, signed by a new CA root certificate. The new CA cert signed the server certificate. The client (user) certificate was signed by the 'old' CA cert (as it was issued before August). I'm told this has even confused some of the 'experts' using this CA, so this may explain some of the problems (as I'm not an expert).
<br><br>So, in Pound I've got the two .pem CA certs in my CAlist (as these are the signers of the certs I want clients to present). Is this correct?<br><br>In the VeryifyList file I've got the .pem CA root cert and both the old and new CA certs as this provides the chain to verify the presented certs. Correct?
<br><br>In my browser I've got the user key/cert, old and new CA cert and root cert (to validate the server's certificate).<br><br>Thanks again for all the help you've offered.<br><br>Michael.<br><br>[1] <a href="http://www.grid-support.ac.uk/ca/">
http://www.grid-support.ac.uk/ca/</a><br></div><br></div>