Re: SSLCertificateChain file for Intermediate CA

Fri, 18 May 2001 04:16:00 -0700 

On Fri, May 18, 2001 at 01:21:31PM +0200, Henning von Bargen wrote:
> Lutz, when I try to access your site
> with Internet Explorer 5.5,
> IE tells me that it cannot verify the certificate.
> German error message is:
> Das Zertifikat wurde von einer Firma ausgestellt,
> die Sie nicht als vertrauenswürdig eingestuft haben.
> Untersuchen Sie das Zertifikat um festzustellen, 
> ob Sie der ausstellenden Institution vertrauen möchten.

Yes, that is true. Our certificate was issued by our university's
computer center (intermediate CA) and the root CA is the DFN
(german research network, the provider for the german universities
and scientific institutions).

emws1 26: openssl s_client -connect www.aet.tu-cottbus.de:443
CONNECTED(00000003)
depth=2 /C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification 
[EMAIL PROTECTED]
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet 
Cottbus/OU=Allgemeine Elektrotechnik und Numerische 
[EMAIL PROTECTED]
   i:/C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet 
[EMAIL PROTECTED]
 1 s:/C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet 
[EMAIL PROTECTED]
   i:/C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification 
[EMAIL PROTECTED]
 2 s:/C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification 
[EMAIL PROTECTED]
   i:/C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification 
[EMAIL PROTECTED]

The message IE shows is due to the fact, that DFN-PCA is not part of the
standard CA bundle.
When you import the DFN-PCA certificate, the problem will go away:
  http://www.pca.dfn.de/dfnpca/certify/ssl/pca-key.html
(I also have not initialized the trusted CA storage for openssl s_client,
which correspondingly complains about "self signed certificate in
certificate chain").

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to