ZServerSSL and Certificates

However I'm really not clear on
certificates in general, and we're about to try it with real certs
from a real CA.
Ahem, please read this sentence aloud to yourself. Does it sound like a
good idea?
# openssl -des3 -out privatekey 1024
# ./CA.pl -newreq
You mean 'openssl rsa ...' Anyways it is a no-op, given your second
command; i.e., 'CA.pl -newreq' generates a key pair.
So I take privatekey.pem and the ca cert and combine them into a
single file called ca.pem.
Why?
# ./CA.pl -sign
This _signs_ your certificate request. Given that you've already gotten
your certificate request signed by a 3rd party CA, this step is
superfluous.
# openssl rsa < newreq.pem > newkey.pem
and I combine the server cert and newkey.pem and call it server.pem.
Yup this is fine provided your newreq.pem contains your private key.
Microsoft IE6 first shows a request for a cert to use,
This sounds like the server is asking for a client cert. Have you
configured your ZServerSSL to do so? I think the server doesn't do that by
default.
I click OK to
bypass it then a warning dialog that the ca is not trusted.
Is the 3rd party CA's cert installed into your IE6?
Mozilla diaplays a panel warning that there are three potential
problems.
What are the error messages?
In either case if I ignore the warnings I get a secure connection.
You get a HTTPS connection. You are connecting to a site (well, your own,
in this case) which certificate's CA your browser does not trust.
"Secure" is a loaded word. ;-)
I need to understand what I'm doing wrong here.

Hi,

I have been able to get ZServerSSL to work with the demo certs, and
with some self generated. However I'm really not clear on
certificates in general, and we're about to try it with real certs
from a real CA. I'm not a guru either, but I guess I know what your problem is. By the
way, if I were you, I would try to use apache+mod_ssl+mod_rewrite
instead of m2crypto. I have heard apache is faster than the later and
you won't have ZServer exposed to the world. If you want more info about
this, search the zope mailing list on list.zope.org.
What I did this last go-around was to snag CA.pl and visit
https://www.entrust.com/freecerts/ag_server_req.cfm I haven't tried it, but it looks good.
So I take privatekey.pem and the ca cert and combine them into a
single file called ca.pem.

Then I:

# ./CA.pl -sign
# openssl rsa < newreq.pem > newkey.pem

and I combine the server cert and newkey.pem and call it server.pem. I think more or less that's why I did.
However, when I try and access the site I get:

Microsoft IE6 first shows a request for a cert to use, I click OK to
bypass it then a warning dialog that the ca is not trusted.

Mozilla diaplays a panel warning that there are three potential
problems.

In either case if I ignore the warnings I get a secure connection.

I need to understand what I'm doing wrong here.

So I take privatekey.pem and the ca cert and combine them into a
single file called ca.pem.
Why? The server's private key has nothing to do with the CA certificate.
Then I:

# ./CA.pl -sign
# openssl rsa < newreq.pem > newkey.pem
Nope. You don't have to issue a new cert.
and I combine the server cert and newkey.pem and call it server.pem.
You issued another server cert without need for doing so.
Microsoft IE6 first shows a request for a cert to use, I click OK to
bypass it then a warning dialog that the ca is not trusted.