Now have added only the Common Policy CA at the top of the certs file. The development site works for both the long chain and short chain users. Yea!
I put the cert file out on the production site and the short chain users can access the site but the long chain user can't and I saw "FAILED:unhandled critical extension" in the log for that user... The only difference between the development site other than OS (XP vs. 2003) is the version of OpenSSL. On the dev site, I have 1.0.1. On production, I have 0.9.8r. When I upgraded OpenSSL on production to 1.0.1 (hoping to eliminate the error above), I think I killed the site for all Win 7 boxes. I say that because I had been able to access the production site with a test Win 7 laptop. I had to put OpenSSL back to 0.9.8r. Frustrating... Curtis -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, May 03, 2012 19:01 To: openssl-users@openssl.org Subject: Re: FAILED:unable to get local issuer certificate On Thu, May 03, 2012, Tammany, Curtis wrote: > Well... > If by "trusted store" you mean my one cert file pointed to by > SSLCACertificateFile, then yes I added the Common Policy, SHA-1 Federal Root > CA and DoD Interoperability Root CA certs to the cert file on my development > site and increased the depth. I got a user with a long cert chain to try to > access the dev site and they could! But those with a short chain like myself > could not access the dev site any more. > Try just including the Common Policy CA none of the others. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org