Re: SSLCertificateChain file for Intermediate CA
On Sun, 20 May 2001, Damon Maria wrote: One thing I haven't mentioned previously is that I'm running Apache 1.3.12 and mod_ssl 2.6. But I presume there shouldn't be a problem with either of these versions. Well... Can't hurt to upgrade, can it? I'm running Apache 1.3.19 with mod_ssl 2.8.1-1.6.0 (weird versioning courtesy of the RPM packager), and it uses the SSLCertificateChain thang without problems. -- Regards, Juha PGP fingerprint: B7E1 CC52 5FCA 9756 B502 10C8 4CD8 B066 12F3 9544 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSLCertificateChain file for Intermediate CA
:: Since I haven't gotten too much of a response yet (expect for thanks to :: Juha) I'll post my VirtualHost in httpd.conf, which I probably should :: have done in the first place. :: :: If I uncomment the SSLCertificateChainFile line then the following :: appears in the log and apache won't start... :: :: [error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA :: certificate chain! Stupid suggestion, perhaps, but can Apache read the CA file? Are the permissions OK? -- Juha __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSLCertificateChain file for Intermediate CA
Gidday Damon, Seems to work OK... https://www.motorweb.co.nz loads fine, and if I look at the cert, I see: Issued to: www.motorweb.co.nz Issued by: www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign [sic] Valid from: 05/02/01 to 06/02/02 Cert serial is: 74EB B7E7 DB06 D3A7 5401 3B94 4C7B B1FE Thumbprint: D0EA 585F DD9A E330 10DB A820 F2B1 327B FB15 48CD -- Juha PS. I'm gunna tell Nic what a l4m3r you are. ; :: -Original Message- :: From: [EMAIL PROTECTED] :: [mailto:[EMAIL PROTECTED]]On Behalf Of Damon Maria :: Sent: Thursday, 17 May 2001 15:48 :: To: [EMAIL PROTECTED] :: Subject: SSLCertificateChain file for Intermediate CA :: :: :: I'm using a Verisign Global ID and therefore need to configure modssl to :: serve up the Intermediate CA. I've followed the various instructions :: I've found for this but with no success. :: :: I downloaded the Intermediate CA and saved it under intermediate_ca.crt :: (I've listed it at the bottom of this message). I then added... :: :: SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate_ca.crt :: :: into my VirtualHost next to all the other SSL* settings. But if I start :: Apache with this setting it reports... :: :: [error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA :: certificate chain! :: :: I've tried SSLLogLevel debug but this doesn't produce any more :: information. :: :: I've been trying for ages and am getting desperate, can someone help me :: out. :: :: thanks in advance, :: Damon Maria. :: __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSLCertificateChain file for Intermediate CA
:: Did you use IE? That seems to work fine (I guess it comes with the :: Intermediate CA), Netscape and Opera both barf on it tho'. Yes, IE 5.5; Konqueror 2.1.1 works too. :: Wait until you try it in NS first :) Nutscrape 4.76 says it does not recognize the authority who [sic] signed its [sic] certificate. It gets the right info (ie. who it belongs to and who issued it). Opera 5 says that the certificate chain is incomplete, and the signer is not registered. So that kind of sucks... but you can accept the cert. Are you using the right command though? This directive sets the optional all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate. This starts with the issuing CA certificate of of the server certificate and can range up to the root CA certificate. Such a file is simply the concatenation of the various PEM-encoded CA Certificate files, usually in certificate chain order. This should be used alternatively and/or additionally to SSLCACertificatePath for explicitly constructing the server certificate chain which is sent to the browser in addition to the server certificate. It is especially useful to avoid conflicts with CA certificates when using client authentication. Because although placing a CA certificate of the server certificate chain into SSLCACertificatePath has the same effect for the certificate chain construction, it has the side-effect that client certificates issued by this same CA certificate are also accepted on client authentication. That's usually not one expect. I presume you're not trying to explicitly construct the server certificate chain that is being sent to the browser, together with the actual server cert? -- Juha __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]