Problem solved. See below. I'm leaving my diagnostic details in, in case
someone else is needs for this info.

Dr Stephen N. Henson of the OpenSSL project wrote in the OpenSSL-users list:
>You'd be better off using the 'ca' utility via the CA.pl
>command. ....

As suggested, I used CA.pl to create a new CA and then sign a request
created in IIS. I then cut the data before "Begin Certificate" in the
newcert.pem and successfully installed the new server cert to IIS. As
before, I used certmgr to install the cacert.pem to my Trusted Root, and IE
accesses IIS via HTTPS fine.

>I've just had a quick look at the manual and it appears that
>you should specify the list of trusted CAs in the --cacert
>option in PEM format. Unless you want to do something like
>clien authentication you shouldn't need any other options.

Using the new cacert.pem, I've tried a number of cURL params including the
simple form recommended above, with no luck. I figured OpenSSL with
s_client should access the site just like cURL, but it doesn't (!), and
since that doesn't work then I don't think this is a cURL issue anymore.
The command I tried is:

openssl s_client -connect myhostname:443 -CAfile cacert.pem

When I try a page that does not require SSL I get the page. When I try a
secured page I consistently get a 401 Access Denied. I've been getting the
401 from cURL too, so apparently it's making it through.

Solution:
The Access Denied message made me think it was now an authentication issue
beyond SSL. I checked IIS and sure enough, checking Anonymous Access for
the directory now allows OpenSSL and cURL to access the site with HTTPS.
Somehow IE is doing it's own login (?).

Thanks much
Tony
Received on 2004-03-07