Re: [users@httpd] Cannot get certificate chain to work.

Tue, 07 Oct 2014 16:35:09 -0700 

changelog in 2.4.8

" *) mod_ssl: Remove the hardcoded algorithm-type dependency for the

     SSLCertificateFile and SSLCertificateKeyFile directives, to enable
     future algorithm agility, and deprecate the SSLCertificateChainFile
     directive (obsoleted by SSLCertificateFile). [Kaspar Brand]"


2014-10-07 19:49 GMT+02:00 dE <de.tec...@gmail.com>:

>  On 10/07/14 22:42, Daniel wrote:
>
> SSLCertificateChainFile is deprecated in 2.4 in favour of
> SSLCaCertificateFile
>
> 2014-10-07 16:59 GMT+02:00 dE <de.tec...@gmail.com>:
>
>>   On 10/07/14 18:12, Igor Cicimov wrote:
>>
>>
>>
>> On Tue, Oct 7, 2014 at 2:51 AM, dE <de.tec...@gmail.com> wrote:
>>
>>> Hi.
>>>
>>> I'm in a situation where I got 3 certificates
>>>
>>> server.pem -- the end user certificate which's sent by the server to the
>>> client.
>>> intermediate.pem -- server.pem is signed by intermediate.pem's private
>>> key.
>>> issuer.pem -- intermediate.pem is signed by issuer.pem's private key.
>>>
>>> combined.pem is created by --
>>>
>>> cat server.pem intermediate.pem > combined.pem
>>>
>>> Issuer.pem is installed in the web browser.
>>>
>>> The chain is working, I can verify this via the SSL command --
>>>
>>> cat intermediate.pem issuer.pem > cert_bundle.pem
>>> openssl verify -CAfile cert_bundle.pem server.pem
>>> server.pem: OK
>>>
>>> However the browsers (FF, Chrome, Konqueror and wget) fail
>>> authentication, claiming there are no certificates to verity server.pem's
>>> signature.
>>>
>>> I'm using Apache 2.4.10 with the following --
>>>
>>> SSLCertificateFile /tmp/combined.pem
>>> SSLCertificateKeyFile /tmp/server.key
>>>
>>>
>>  Try this:
>>
>>  $ cat issuer.pem intermediate.pem > CA_chain.pem
>>
>>   SSLCertificateFile server.pem
>>   SSLCertificateKeyFile server.key
>>   SSLCertificateChainFile CA_chain.pem
>>
>>
>>  Tried this on Apache 2.2 (SSLCertificateChainFile does not work with
>> 2.4) with the same issue.
>>
>
>
> No, you can see it here --
>
> http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatechainfile
>
> when SSLCertificateFile
> <http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile>
> was extended to also load intermediate CA certificates from the server
> certificate file.
>
>

Reply via email to