Re: Intermediate root CA's -- lost and confused :( **SOLVED**

Mon, 13 Sep 2010 22:56:56 -0700 


On 09/13/2010 10:12 PM, Paul B. Henson wrote:

On Mon, 13 Sep 2010, Tim Hudson wrote:


You need to correct your server configuration so that it correctly sends
out the chain.

Ok, I figured out what was wrong. I only had the SSLCertificateChainFile
configured in the specific ssl virtual host, but not the default ssl
virtual host. When I added the SSLCertificateChainFile to the default
virtual host config as well as the specific ssl virtual host the server
started sending the chain.

That was a very frustrating and confusing ordeal 8-/. It's weird that the
browsers started working when I added it just to the specific ssl virtual
host config, that led me to believe the server was configured correctly
when it wasn't.

Thanks much to everybody that helped!





Paul,


Browsers tend to cache certificates they receive from servers, hence why 
when you visited the properly configured site, then all your other sites 
were working on that browser on that machine. IE does some wacky things 
in terms of verifying the certificate chain, so don't always trust it in 
terms of certificates.



For verifying certificates, I love using OpenSSL's s_client utility. It 
is a god-send! (So long as you know what you should be seeing. -- 
openssl s_client -connect SITE:port -- (in some cases you can use the 
protocol for standard stuff,https, pops, etc.) and then read the 
certificate chain section and forget all the rest. (provided you know 
what you should see.)



One key thing to remember is with OpenSSL, you don't necessarily have a 
default certificate store. (Same can be said for wget and others) I do 
believe OpenSSL packages on Debian and Red Hat based systems (maintainer 
releases) use the System SSL directory of 'etc/ssl/certs/' for root CAs, 
but remember it is best practice that the server present the whole chain 
(minus) the root CA as the client must have access to it.



SSLCACertificateFile works on older versions of Apache 1.x and early 
versions of Apache 2.0.x the same way that SSLCertificateChainFile works 
on Apache 2.x nowadays.



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to