Intermediate Certificate chaining problem?

Mon, 18 Nov 2002 10:51:16 -0800 

I need help solving the following problem

I have recently obtained and installed a secure certificate from VeriSign. However, 
vistors to my site still get an error message stating that we are using a certificate 
signed by an untrusted CA. Netscape and Mozilla users are alerted by pop-up while IE 
users would only notice the error if they explore the certificate by clicking the 
'lock' icon.

This is the information provided by "Issuer" under the "Details" tab of "Certificate 
Information" in IE6/Win98, the same information is provided by Mozilla 1.0.1/RH7.3
OU = www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
OU = VeriSign International Server CA - Class 3
OU = VeriSign, Inc.
O = VeriSign Trust Network

I have installed the certificate and the intermediate certificate per modssl  
intructions and verified installation with VeriSign instructions but visitors to my 
site still get an error that the cert has been signed by an untrusted CA. However, the 
properties of the cert reveal that the issuer is indeed VeriSign Trust Network. 
VeriSign support has told me that it is an installation error, and that the cert is 
not "Chaining."

My installation: I received the cert from Verisign as an email attachment and saved 
the cert to: $APACHE_HOME/conf/ssl.crt/server.crt. I then visited the VeriSign web 
site copied and pasted the intermediate cert into a text editor (gEdit) and saved the 
file to $APACHE_HOME/conf/ssl.crt/ca.crt. I updated my conf with the following 
directives:

<VirtualHost MY_IP:443>

...

SSLCertificateFile      conf/ssl.crt/server.crt  
SSLCertificateKeyFile   conf/ssl.key/server.key
SSLCACertificateFile    conf/ssl.crt/ca.crt
        
SSLProtocol             -all +SSLv2
SSLCipherSuite          SSLv2:+HIGH:+MEDIUM:+LOW:+EXP

</VirtualHos>

Apache was then restarted $APACHE_HOME/bin/apachectl stop $APACHE_HOME/bin/apachectl 
startssl. I have even tried recompling Apache and used `make certifcate TYPE=existing`

I am using:
RH 7.1
Apache 1.3.27
openssl-0.9.6e
mod_ssl-2.8.12-1.3.27

Has anyone else experienced this or can they point out any errors with my process?

Thanks

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to