On 10/06/14 21:21, dE wrote:
Hi.
I'm in a situation where I got 3 certificates
server.pem -- the end user certificate which's sent by the server to
the client.
intermediate.pem -- server.pem is signed by intermediate.pem's private
key.
issuer.pem -- intermediate.pem is signed by issuer.pem's private key.
combined.pem is created by --
cat server.pem intermediate.pem > combined.pem
Issuer.pem is installed in the web browser.
The chain is working, I can verify this via the SSL command --
cat intermediate.pem issuer.pem > cert_bundle.pem
openssl verify -CAfile cert_bundle.pem server.pem
server.pem: OK
However the browsers (FF, Chrome, Konqueror and wget) fail
authentication, claiming there are no certificates to verity
server.pem's signature.
I'm using Apache 2.4.10 with the following --
SSLCertificateFile /tmp/combined.pem
SSLCertificateKeyFile /tmp/server.key
I can attach *.pem if you want.
Thanks for any assistance.
Ok, I got this to work.
These modern browsers tend to accept certificates from any kind of CAs
(root or non-root) only if they have an extention (version 3) and have
CA:TRUE set in basicConstraints.
These include intermediate certificates.
