Re: SSLCertificateChain file for Intermediate CA
Hi Damon, Could you please put in the corrected part of your httpd.conf file - all the directives that are relavant to SSL connections. I am interested in looking at the corrected piece ( and commented pieces as well). Rajaram. To: [EMAIL PROTECTED] cc: Subject:Re: SSLCertificateChain file for Intermediate CA Damon Maria [EMAIL PROTECTED] 05/22/01 08:42 PM Please respond to modssl-users --+ I think I've solved my problem and would just like to post the answer for someone else's reference. The offending line is: SSLProtocol -all +SSLv2 If I take that line out mod_ssl can load the certificate chain. I presume there's a good reason for this (chains require SSLv3 at a guess)? SSLProtocol was originally added because we just couldn't get around problems with MSIE 4.x connecting with SSL. Although it is a big hack, the suggested SSL changes in the mod_ssl FAQ just didn't work for us. I've since removed the SSLProtocol, added a SSL session cache and added +eNULL to the end of the SSLCipherSuite. Now I'm just waiting to see if MSIE 4.x users can still connect. I've also recently seen talk of SSLRequire %{SSL_CIPHER} = 128 solving the MSIE SGC bug. Has someone confirmed this to be true? thanks for the help, Damon. -- VirtualHost ServerName www.motorweb.co.nz SSLEngine on # The following hopefully get around the MSIE 4.x and 5.0 SGC bug # SSLCipherSuite ALL:!ADH:!EXPORT56:!SSLv3+EXP:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP # The following defintely gets around the MSIE 4.x and 5.0 SGC bug but SSLProtocol -all +SSLv2 SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key # SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate_ca.crt # SSLLog /var/log/httpd/ssl_engine_log # SSLLogLevel debug SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /var/log/httpd/ssl_request_log \ %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
[EMAIL PROTECTED] wrote: Hi Damon, Could you please put in the corrected part of your httpd.conf file - all the directives that are relavant to SSL connections. OK, this is for the site https://www.motorweb.co.nz.. Try it and you may I say. First off, I'm using a Verisign Global ID certificate (ie. SGC). What I have currently works with MSIE 5+ and NS 4.7 (haven't tried other NS's). It does work with MSIE 4 but this version of IE doesn't like the Versign Global certificate (it can't complete the chain) and therefore says it doesn't trust our site. This is despite the fact that Verisign says the Global ID's work with MSIE 4+, so I must still have something wrong. At the bottom of this message is the ssl_engine_log of the server starting up and MSIE 4.7 trying to connect. Can someone point out why the intermediate_ca doesn't seem to get to IE? Is it because IE is connecting with SSLv2? Anyway, here's the relevant lines from my httpd.conf --- httpd.conf --- Listen 443 # SSL session cache is required to get around MSIE bugs SSLSessionCache dbm:/var/log/httpd/ssl_cache SSLSessionCacheTimeout 300 VirtualHost 210.55.172.141:443 ServerName www.motorweb.co.nz SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate-ca.crt SSLLog /var/log/httpd/ssl_engine_log SSLLogLevel trace SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /var/log/httpd/ssl_request_log \ %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b /VirtualHost --- ssl_engine_log --- Init: Loading certificate private key of SSL-aware server www.motorweb.co.nz:443 Init: (www.motorweb.co.nz:443) unencrypted RSA private key - pass phrase not required Init: Configuring server www.motorweb.co.nz:443 for SSL protocol Init: (www.motorweb.co.nz:443) Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1) Init: (www.motorweb.co.nz:443) Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL] Init: (www.motorweb.co.nz:443) Configuring RSA server certificate Init: (www.motorweb.co.nz:443) RSA server certificate enables Server Gated Cryptography (SGC) Init: (www.motorweb.co.nz:443) Configuring RSA server private key Init: (www.motorweb.co.nz:443) Configuring server certificate chain (1 CA certificate) Connection to child 2 established (server www.motorweb.co.nz:443, client 210.55.82.41) Seeding PRNG with 0 bytes of entropy OpenSSL: Handshake: start OpenSSL: Loop: before/accept initialization OpenSSL: Loop: SSLv2 read client hello A OpenSSL: Loop: SSLv2 write server hello A OpenSSL: Loop: SSLv2 read client master key A OpenSSL: Loop: SSLv2 server start encryption OpenSSL: Loop: SSLv2 write server verify A OpenSSL: Loop: SSLv2 read client finished A OpenSSL: Loop: SSLv2 write request certificate A OpenSSL: Loop: SSLv2 write server finished A Inter-Process Session Cache: request=SET status=OK id=82EBC78C51D8403F32DA3EA9C62507DC timeout=299s (session caching) OpenSSL: Handshake: done Connection: Client IP: 210.55.82.41, Protocol: SSLv2, Cipher: EXP-RC4-MD5 (40/128 bits) Connection to child 2 closed with standard shutdown (server www.motorweb.co.nz:443, client 210.55.82.41) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
Without going through mod_ssl's source: did you try to put the complete chain into the ChainFile? Tried this, but it didn't make any difference. With respect to the error message, mod_ssl can write more messages than that into e.g. an ssl_engine_log. Did you check all possible logfiles? I've checked, even with SSLLogLevel debug I couldn't get anymore out of it. I've since looked through the mod_ssl source and if there is any kind of error while trying to load the ChainFile then the generic Failed to configure CA certificate chain! messge is produced. Not very helpful really since there are many possibilities. I have also tried using SSLCACertificateFile instead of and in conjunction with SSLCertificateChainFile. This was described at http://www.verisign.com/support/tlc/class3_install_docs/ssleay/v00g.html as the instructions for ApacheSSL rather than mod_ssl. If used instead of SSLCertificateChainFile no init errors happen and the following is reported in ssl_engine_log: [20/May/2001 15:10:19 11541] [trace] Init: (www.motorweb.co.nz:443) Configuring client authentication [20/May/2001 15:10:19 11541] [trace] CA certificate: /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign So it appears there is nothing wrong with my Intermediate Certificate (since that's what the trace is outputing) or Apache's ability to read it. Why oh why then doesn't it work with SSLCertificateChainFile, agh! Thanks for the help and suggestions, but I'm still stuck. One thing I haven't mentioned previously is that I'm running Apache 1.3.12 and mod_ssl 2.6. But I presume there shouldn't be a problem with either of these versions. regards, Damon. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
On Sun, 20 May 2001, Damon Maria wrote: One thing I haven't mentioned previously is that I'm running Apache 1.3.12 and mod_ssl 2.6. But I presume there shouldn't be a problem with either of these versions. Well... Can't hurt to upgrade, can it? I'm running Apache 1.3.19 with mod_ssl 2.8.1-1.6.0 (weird versioning courtesy of the RPM packager), and it uses the SSLCertificateChain thang without problems. -- Regards, Juha PGP fingerprint: B7E1 CC52 5FCA 9756 B502 10C8 4CD8 B066 12F3 9544 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
Juha Saarinen wrote: On Sun, 20 May 2001, Damon Maria wrote: One thing I haven't mentioned previously is that I'm running Apache 1.3.12 and mod_ssl 2.6. But I presume there shouldn't be a problem with either of these versions. Well... Can't hurt to upgrade, can it? I'm running Apache 1.3.19 with mod_ssl 2.8.1-1.6.0 (weird versioning courtesy of the RPM packager), and it uses the SSLCertificateChain thang without problems. I may as well, I'm running out of other options. thanks again for the help, Damon. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
On Fri, May 18, 2001 at 11:58:02AM +1200, Damon Maria wrote: Since I haven't gotten too much of a response yet (expect for thanks to Juha) I'll post my VirtualHost in httpd.conf, which I probably should have done in the first place. If I uncomment the SSLCertificateChainFile line then the following appears in the log and apache won't start... [error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA certificate chain! I've copied my original message at the bottom of this one which contains the contents of /etc/httpd/conf/ssl.crt/intermediate_ca.crt (as I got it from Verisign's site). Without going through mod_ssl's source: did you try to put the complete chain into the ChainFile? The server cert is in its own file. For my server (www.aet.tu-cottbus.de) I have an intermediate and a root CA certificate. Both are concatenated together into the chain file. With respect to the error message, mod_ssl can write more messages than that into e.g. an ssl_engine_log. Did you check all possible logfiles? Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
On Fri, May 18, 2001 at 01:21:31PM +0200, Henning von Bargen wrote: Lutz, when I try to access your site with Internet Explorer 5.5, IE tells me that it cannot verify the certificate. German error message is: Das Zertifikat wurde von einer Firma ausgestellt, die Sie nicht als vertrauenswürdig eingestuft haben. Untersuchen Sie das Zertifikat um festzustellen, ob Sie der ausstellenden Institution vertrauen möchten. Yes, that is true. Our certificate was issued by our university's computer center (intermediate CA) and the root CA is the DFN (german research network, the provider for the german universities and scientific institutions). emws1 26: openssl s_client -connect www.aet.tu-cottbus.de:443 CONNECTED(0003) depth=2 /C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification [EMAIL PROTECTED] verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet Cottbus/OU=Allgemeine Elektrotechnik und Numerische [EMAIL PROTECTED] i:/C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet [EMAIL PROTECTED] 1 s:/C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet [EMAIL PROTECTED] i:/C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification [EMAIL PROTECTED] 2 s:/C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification [EMAIL PROTECTED] i:/C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification [EMAIL PROTECTED] The message IE shows is due to the fact, that DFN-PCA is not part of the standard CA bundle. When you import the DFN-PCA certificate, the problem will go away: http://www.pca.dfn.de/dfnpca/certify/ssl/pca-key.html (I also have not initialized the trusted CA storage for openssl s_client, which correspondingly complains about self signed certificate in certificate chain). Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
I presume you're not trying to explicitly construct the server certificate chain that is being sent to the browser, together with the actual server cert? This is what I'm trying to do. I'm trying to send all the certificates in the chain (expect the root) to the browser. This includes my server certificate and the intermediate certificate. If you try https://www.motorweb.co.nz/ in IE (I'm using 5.0) and click on the padlock, look at the Certification Path. You'll see there is the Primary CA, the www.verisign.com Intermediate CA and then the www.motorweb.co.nz certificate. IE contains the Primary and Intermediate CA and so works fine. Other browsers don't contain the Intermediate CA and so can't complete the chain. I need to get mod_ssl to serve up the Intermediate CA, and that's what SSLCertificateChainFile is supposed to do. But adding that into httpd.conf causes mod_ssl to die on startup: Failed to configure CA certificate chain! regards, Damon. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
Since I haven't gotten too much of a response yet (expect for thanks to Juha) I'll post my VirtualHost in httpd.conf, which I probably should have done in the first place. If I uncomment the SSLCertificateChainFile line then the following appears in the log and apache won't start... [error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA certificate chain! I've copied my original message at the bottom of this one which contains the contents of /etc/httpd/conf/ssl.crt/intermediate_ca.crt (as I got it from Verisign's site). I've seen this solution to the Global ID Intermediate CA problem documented all over the web, but can't get it to work. There must be somethng obviously wrong with what I've done. yours in desperation, Damon. -- VirtualHost ServerName www.motorweb.co.nz SSLEngine on # The following hopefully get around the MSIE 4.x and 5.0 SGC bug # SSLCipherSuite ALL:!ADH:!EXPORT56:!SSLv3+EXP:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP # The following defintely gets around the MSIE 4.x and 5.0 SGC bug but SSLProtocol -all +SSLv2 SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key # SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate_ca.crt # SSLLog /var/log/httpd/ssl_engine_log # SSLLogLevel debug SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /var/log/httpd/ssl_request_log \ %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b Original Message Subject: SSLCertificateChain file for Intermediate CA Date: Thu, 17 May 2001 15:47:46 +1200 From: Damon Maria [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] I'm using a Verisign Global ID and therefore need to configure modssl to serve up the Intermediate CA. I've followed the various instructions I've found for this but with no success. I downloaded the Intermediate CA and saved it under intermediate_ca.crt (I've listed it at the bottom of this message). I then added... SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate_ca.crt into my VirtualHost next to all the other SSL* settings. But if I start Apache with this setting it reports... [error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA certificate chain! I've tried SSLLogLevel debug but this doesn't produce any more information. I've been trying for ages and am getting desperate, can someone help me out. thanks in advance, Damon Maria. -BEGIN CERTIFICATE- MIIEMTCCA5qgAwIBAgIQI2yXHivGDQv5dGDe8QjDwzANBgkqhkiG9w0BAQIFADBfMQswCQYD VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVi bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTcwNDE3MDAwMDAwWhcN MDQwMTA3MjM1OTU5WjCBujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUG A1UECxMOVmVyaVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwg U2VydmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMgSW5j b3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEA2IKA6NYZAn0fhRg5JaJlK+G/1AXTvOY2O6rwTGxbtueqPHNFVbLx veqXQu2aNAoV1Klc9UAl3dkHwTKydWzEyruj/lYncUOqY/UwPpMo5frxCTvzt01OOfdcSVq4 wR3Tsor+cDCVQsv+K1GLWjw6+SJPkLICp1OcTzTnqwSye28CAwEAAaOCAZAwggGMMA8GA1Ud EwQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjAgBgNVHSUEGTAX BgpghkgBhvhFAQgBBglghkgBhvhCBAEwggE1BgNVHSAEggEsMIIBKDCCASQGC2CGSAGG+EUB BwEBMIIBEzAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzCB5gYI KwYBBQUHAgIwgdkwFRYOVmVyaVNpZ24sIEluYy4wAwIBARqBv1ZlcmlTaWduJ3MgQ2VydGlm aWNhdGlvbiBQcmFjdGljZSBTdGF0ZW1lbnQsIHd3dy52ZXJpc2lnbi5jb20vQ1BTLCBnb3Zl cm5zIHRoaXMgY2VydGlmaWNhdGUgJiBpcyBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJlbmNlIGhl cmVpbi4gU09NRSBXQVJSQU5USUVTIERJU0NMQUlNRUQgJiBMSUFCSUxJVFkgTFRELiAoYykx OTk3IFZlcmlTaWduMA0GCSqGSIb3DQEBAgUAA4GBALiMmMMrSPVyzWgNGrN0Y7uxWLaYRSLs EY3HTjOLYlohJGyawEK0Rak6+2fwkb4YH9VIGZNrjcs3S4bmfZv9jHiZ/4PC/NlVBp4xZkZ9 G3hg9FXUbFXIaWJwfE22iQYFm8hDjswMKNXRjM1GUOMxlmaSESQeSltLZl5lVR5fN5qu -END CERTIFICATE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSLCertificateChain file for Intermediate CA
:: Since I haven't gotten too much of a response yet (expect for thanks to :: Juha) I'll post my VirtualHost in httpd.conf, which I probably should :: have done in the first place. :: :: If I uncomment the SSLCertificateChainFile line then the following :: appears in the log and apache won't start... :: :: [error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA :: certificate chain! Stupid suggestion, perhaps, but can Apache read the CA file? Are the permissions OK? -- Juha __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
Juha Saarinen wrote: Stupid suggestion, perhaps, but can Apache read the CA file? Are the permissions OK? Good suggestion, but the permissions are OK (identical to server.crt). thanks again, Damon. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSLCertificateChain file for Intermediate CA
Gidday Damon, Seems to work OK... https://www.motorweb.co.nz loads fine, and if I look at the cert, I see: Issued to: www.motorweb.co.nz Issued by: www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign [sic] Valid from: 05/02/01 to 06/02/02 Cert serial is: 74EB B7E7 DB06 D3A7 5401 3B94 4C7B B1FE Thumbprint: D0EA 585F DD9A E330 10DB A820 F2B1 327B FB15 48CD -- Juha PS. I'm gunna tell Nic what a l4m3r you are. ; :: -Original Message- :: From: [EMAIL PROTECTED] :: [mailto:[EMAIL PROTECTED]]On Behalf Of Damon Maria :: Sent: Thursday, 17 May 2001 15:48 :: To: [EMAIL PROTECTED] :: Subject: SSLCertificateChain file for Intermediate CA :: :: :: I'm using a Verisign Global ID and therefore need to configure modssl to :: serve up the Intermediate CA. I've followed the various instructions :: I've found for this but with no success. :: :: I downloaded the Intermediate CA and saved it under intermediate_ca.crt :: (I've listed it at the bottom of this message). I then added... :: :: SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate_ca.crt :: :: into my VirtualHost next to all the other SSL* settings. But if I start :: Apache with this setting it reports... :: :: [error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA :: certificate chain! :: :: I've tried SSLLogLevel debug but this doesn't produce any more :: information. :: :: I've been trying for ages and am getting desperate, can someone help me :: out. :: :: thanks in advance, :: Damon Maria. :: __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
Seems to work OK... Did you use IE? That seems to work fine (I guess it comes with the Intermediate CA), Netscape and Opera both barf on it tho'. https://www.motorweb.co.nz loads fine, and if I look at the cert, I see: Issued to: www.motorweb.co.nz Issued by: www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign [sic] Valid from: 05/02/01 to 06/02/02 Cert serial is: 74EB B7E7 DB06 D3A7 5401 3B94 4C7B B1FE Thumbprint: D0EA 585F DD9A E330 10DB A820 F2B1 327B FB15 48CD -- Juha PS. I'm gunna tell Nic what a l4m3r you are. ; Wait until you try it in NS first :) :: -Original Message- :: From: [EMAIL PROTECTED] :: [mailto:[EMAIL PROTECTED]]On Behalf Of Damon Maria :: Sent: Thursday, 17 May 2001 15:48 :: To: [EMAIL PROTECTED] :: Subject: SSLCertificateChain file for Intermediate CA :: :: :: I'm using a Verisign Global ID and therefore need to configure modssl to :: serve up the Intermediate CA. I've followed the various instructions :: I've found for this but with no success. :: :: I downloaded the Intermediate CA and saved it under intermediate_ca.crt :: (I've listed it at the bottom of this message). I then added... :: :: SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate_ca.crt :: :: into my VirtualHost next to all the other SSL* settings. But if I start :: Apache with this setting it reports... :: :: [error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA :: certificate chain! :: :: I've tried SSLLogLevel debug but this doesn't produce any more :: information. :: :: I've been trying for ages and am getting desperate, can someone help me :: out. :: :: thanks in advance, :: Damon Maria. :: __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSLCertificateChain file for Intermediate CA
:: Did you use IE? That seems to work fine (I guess it comes with the :: Intermediate CA), Netscape and Opera both barf on it tho'. Yes, IE 5.5; Konqueror 2.1.1 works too. :: Wait until you try it in NS first :) Nutscrape 4.76 says it does not recognize the authority who [sic] signed its [sic] certificate. It gets the right info (ie. who it belongs to and who issued it). Opera 5 says that the certificate chain is incomplete, and the signer is not registered. So that kind of sucks... but you can accept the cert. Are you using the right command though? This directive sets the optional all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate. This starts with the issuing CA certificate of of the server certificate and can range up to the root CA certificate. Such a file is simply the concatenation of the various PEM-encoded CA Certificate files, usually in certificate chain order. This should be used alternatively and/or additionally to SSLCACertificatePath for explicitly constructing the server certificate chain which is sent to the browser in addition to the server certificate. It is especially useful to avoid conflicts with CA certificates when using client authentication. Because although placing a CA certificate of the server certificate chain into SSLCACertificatePath has the same effect for the certificate chain construction, it has the side-effect that client certificates issued by this same CA certificate are also accepted on client authentication. That's usually not one expect. I presume you're not trying to explicitly construct the server certificate chain that is being sent to the browser, together with the actual server cert? -- Juha __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]