UPDATE: We are now using the latest intermediate cert, since
the older intermediate cert, mentioned in this article, has expired on
January 7, 2004. So, the part of this web page about installing an older
cert is NO LONGER VALID.
Most of these problems were designed to deal with IE 5.0 on Windows 98.
A lot of those systems are still out there, so when our QA dept.
hit our site, these bugs would appear. Hopefully, the HipTips on
this page will save you some time and effort.
Problem 1: Old Versions of IE 5.0 on Windows 98 don't work with my cert
For some reason, the old versions of IE have a broken SSLv3. This problem
is described here: Mod SSL FAQ on IE Errors. I implemented the setting they recommended
(which was already in the Apache conf file).
I uncommented the following line, and everything worked:
Essentially, it just turns off Anonymous Diffie-Hellman (ADH), and the broken
56bit Export Cipher for the SSLv3 protocol.
Problem 2: The validity period of this certificate exceeds that of its certification authority
or more problems with old Versions of IE 5.0 on Windows 98 don't work with my cert
This one was really interesting. We were using a Verisign Global ID,
(which also has a few other names). At any rate, when we opened our
site in a fresh Win98 install, a dialog would pop up. When we opened
the dialog, it would indicate the above error with the cert.
Essentially, the root certificate that is shipped in IE 5.0/40 bit
expires in 2004. The new intermediate certificates that are issued
with Verisign Global ID's have an expire date of 2011.
IE decides that it has exceeded it's authority over the root
and calls foul. So, I went to Verisign's site, and they recommended
that people use the old cert or force users to upgrade.
The people at my office wanted to just 'make it work'. They
could go to their bank site, and it would work. (Note, it wouldn't
work with PayPal.) The trick was to get one of these older
intermediate certs that expires in 2004 rather than 2011.
So, at Verisign's site, I found an older cert. However, it was broken,
the cert had spaces in it. Here is what it looked like:
DON'T USE THIS ONE, IT WON'T WORK
wR3Tsor cDCVQsv K1GLWjw6 SJPkLICp1OcTzTnqwSye28CAwEAAaOB5zCB5DAPBgNVHRME
BwMCBglghkgBhvhCBAEGCmCGSAGG EUBCAEwCwYDVR0PBAQDAgEGMBEGCWCGSAGG EIBAQQE
So, what was I going to do? The answer was to get a Cert
from semewhere else. Luckily, IE lets you export certs to
a file. So I exported the intermediate cert from Well's
Fargo (in x509 format) and placed in the right place for Apache. It worked