On 10/06/14 22:26, Daniel wrote:
I found myself in a similar situation and I couldn't find the reason
but I did find a workaround.
To work around this, make a pkcs12 file with all files in it, your
private key and the whole chain up until the root CA certificate, then
extract them back out from that pkcs12, using the extracted files.
My similar issue happened when I was generating the key and csr with
openssl and someone else was signing my request with another
software, all modulus matched, everything, but still for browsers the
chain was not correctly constructed. I worked around it with the
method I mention before.
Until someone can tell you what may really be happening this may be
worth a try for you.
Good luck.
2014-10-06 17:51 GMT+02:00 dE <de.tec...@gmail.com
<mailto:de.tec...@gmail.com>>:
Hi.
I'm in a situation where I got 3 certificates
server.pem -- the end user certificate which's sent by the server
to the client.
intermediate.pem -- server.pem is signed by intermediate.pem's
private key.
issuer.pem -- intermediate.pem is signed by issuer.pem's private key.
combined.pem is created by --
cat server.pem intermediate.pem > combined.pem
Issuer.pem is installed in the web browser.
The chain is working, I can verify this via the SSL command --
cat intermediate.pem issuer.pem > cert_bundle.pem
openssl verify -CAfile cert_bundle.pem server.pem
server.pem: OK
However the browsers (FF, Chrome, Konqueror and wget) fail
authentication, claiming there are no certificates to verity
server.pem's signature.
I'm using Apache 2.4.10 with the following --
SSLCertificateFile /tmp/combined.pem
SSLCertificateKeyFile /tmp/server.key
I can attach *.pem if you want.
Thanks for any assistance.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
<mailto:users-unsubscr...@httpd.apache.org>
For additional commands, e-mail: users-h...@httpd.apache.org
<mailto:users-h...@httpd.apache.org>
I used the following command to create the bundle --
openssl pkcs12 -export -in server.pem -inkey server.key -in
intermediate.pem -inkey intermediate.key -out bundle.p12 -name bundle
-CAfile issuer.pem -caname issuer -chain
To extract --
openssl pkcs12 -in ../bundle.p12 -out all_combined.pem -nodes
But, when using all_combined.pem as SSLCertificateFile, I get --
[Tue Oct 07 14:50:12.760273 2014] [ssl:emerg] [pid 8357:tid
140531695941504] AH02565: Certificate and private key httpd:443:0 from
/home/all_combined.pem and /homecertificate_chaining_test/server.key do
not match