I am new to SSL and PKI and am certain I've done something wrong - but not a clue what. I apologize if this question is not in the correct forum. Please let me know and I'll move/repost it to the correct forum.
The problem I'm having is that my certificates are accepted when browsing to my site via IE, but both Safari and Firefox display errors saying "the identify of this site cannot be verified".
Here's my setup:
All of my servers/workstations have 'internal' ip addresses on the 192.168.5.x/24 subnet. The servers have static (internal) IP's, the workstations use DHCP.
Windows Server 2012 with standalone "Certification Authority" role installed and configured. I exported its own self-signed certificate and added it to the "Trusted Root Certification Authorities" store on my client device (Windows 7)
I used OpenSSL to generate certificate signing requests (containing multiple aliases) for each of my 2 additional Hyper-V Windows Server 2012 servers. I had my certification authority sign these requests to create the actual certificates for my 2 servers. For simplicity, lets say these servers are named server1.tenly.com and server2.tenly.com
I configured SSL on Apache on both server1.tenly.com and server2.tenly.com using the .key file generated by OpenSSL and the certificate signed by my Certification Authority.
From my Windows 7 client device, I attempted to access the Apache website on Server 1 withhttps://server1.tenly.com/ and the welcome page was successfully displayed. Clicking on the lock displayed a message saying the site had been identified and that the connection was encrypted.
I then tried to access the same Apache website using https://server1.tenly.com/ from Safari and from Firefox and received a popup saying that "Safari can't verify the identity of the website" and a similar message from Firefox.
I've spent about all weekend googling for this particular scenario but was unable to find anything useful.
One other (possibly related) question I have about the SSL handshake is:
How does my browser know how/where to check the validity of the certificate. The self-signed certificate for my standalone CA is on my local network - but I do not see any IP address or FQDN inside the certificate itself which I added to the Trusted Root
CA store. Or maybe it doesn't have to? The simple fact that I have a certificate in my Trusted Root store should be good enough for any other certificate that appears and has been signed by the Standalone CA is automatically trusted? Ok -
I can see how that might make sense - but then why isn't this working?
It's so frustrating because I'm so close and have now wasted about 36 hours (and counting) looking for this one last issue before I can move on to real work.
Thanks in advance to any who take the time to reply!
Jim