On 10/08/14 05:18, Igor Cicimov wrote:
On Wed, Oct 8, 2014 at 1:59 AM, dE <de.tec...@gmail.com
<mailto:de.tec...@gmail.com>> wrote:
On 10/07/14 18:12, Igor Cicimov wrote:
On Tue, Oct 7, 2014 at 2:51 AM, dE <de.tec...@gmail.com
<mailto:de.tec...@gmail.com>> wrote:
Hi.
I'm in a situation where I got 3 certificates
server.pem -- the end user certificate which's sent by the
server to the client.
intermediate.pem -- server.pem is signed by
intermediate.pem's private key.
issuer.pem -- intermediate.pem is signed by issuer.pem's
private key.
combined.pem is created by --
cat server.pem intermediate.pem > combined.pem
Issuer.pem is installed in the web browser.
The chain is working, I can verify this via the SSL command --
cat intermediate.pem issuer.pem > cert_bundle.pem
openssl verify -CAfile cert_bundle.pem server.pem
server.pem: OK
However the browsers (FF, Chrome, Konqueror and wget) fail
authentication, claiming there are no certificates to verity
server.pem's signature.
I'm using Apache 2.4.10 with the following --
SSLCertificateFile /tmp/combined.pem
SSLCertificateKeyFile /tmp/server.key
Try this:
$ cat issuer.pem intermediate.pem > CA_chain.pem
SSLCertificateFile server.pem
SSLCertificateKeyFile server.key
SSLCertificateChainFile CA_chain.pem
Tried this on Apache 2.2 (SSLCertificateChainFile does not work
with 2.4) with the same issue.
Hmm in that case you have something mixed up or simply this can not
work for self signed certificates since this is exactly what I'm using
on Apache 2.2.24/26 on all our company web sites: a certificate signed
by CA authority and a chain certificate file where the authorities CA
and Intermediate certs have been concatenated.
Can you show us the output of:
openssl x509 -noout -in cert.pem -text
for all your sertificates?
$ openssl x509 -noout -in server.pem -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 13192573755114198537 (0xb7156feedab91609)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=intermediate, CN=intermediate
Validity
Not Before: Oct 7 08:43:42 2014 GMT
Not After : Oct 2 08:43:42 2015 GMT
Subject: C=AU, ST=Some-State, O=server, OU=IT, CN=server
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:95:d3:1c:b7:ac:49:cc:38:2c:47:68:a2:b2:18:
6d:76:80:3c:9d:a2:03:cc:4b:df:c0:6e:81:3f:7a:
81:be:e1:38:34:5f:e0:1b:4e:e2:dc:a5:c6:d9:bb:
b0:86:3b:98:3d:e7:03:42:c7:a4:cb:05:f0:96:80:
e6:13:4e:bd:4f:e4:73:ea:72:7c:0c:90:23:7a:5e:
7a:46:7d:e7:64:3c:1d:54:7a:e6:d9:87:9d:e3:f8:
44:9c:df:08:64:d7:1d:a1:50:c3:fd:aa:9d:1b:84:
3e:cd:1d:b9:81:ba:70:6a:95:c7:63:ab:1b:7b:1f:
26:3f:36:cc:29:f0:69:2b:79
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
4e:52:95:01:48:0f:c7:bd:51:6e:e6:9e:f6:3c:b4:16:10:a6:
b5:75:2e:b2:49:bc:e7:50:46:d5:97:f1:e8:ed:b7:1d:b8:1a:
33:2f:a3:7e:ca:41:1a:2a:74:4a:a3:81:04:99:c2:c8:76:ea:
a6:91:8f:21:92:4c:62:ad:0c:57:43:73:b5:3c:0d:6c:82:cb:
c1:c0:74:d8:ad:cb:12:1f:2f:9a:49:45:5a:06:05:fe:9a:13:
b9:d3:e1:17:e6:67:88:18:fd:dc:c5:67:9a:94:9b:41:cf:0c:
ca:88:4f:b5:fe:7e:e2:1e:61:db:4f:e1:bc:dc:f0:07:ad:1c:
7c:fe
$ openssl x509 -noout -in intermediate.pem -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 11894061023072807904 (0xa510317ba912ebe0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
Validity
Not Before: Oct 7 08:42:05 2014 GMT
Not After : Oct 2 08:42:05 2015 GMT
Subject: C=AU, ST=Some-State, O=intermediate, CN=intermediate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:b6:52:95:bf:09:25:1b:dc:28:d9:b1:a8:24:f8:
f5:fb:f6:11:3e:22:74:f4:58:d1:dd:e3:4c:be:9a:
df:dc:e6:3a:6d:50:75:0f:87:6c:b9:f6:8a:cb:c6:
2d:df:2c:22:bf:17:f1:bd:94:78:8c:e4:ef:b3:82:
df:23:00:30:07:d7:59:9b:44:9b:2a:77:5f:85:40:
14:df:2f:89:66:7a:d5:e4:5a:d7:82:0c:bd:7c:6d:
78:36:c6:d9:8e:c1:31:24:44:35:9b:9d:47:50:69:
f2:d4:1b:5a:53:a5:e5:0e:d6:fc:ed:0e:60:15:b9:
3a:fd:f3:d1:f0:27:49:f4:c3
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
0c:5d:ce:59:75:d2:1a:cb:0c:2a:04:c3:73:3e:4a:42:d5:2d:
0f:84:5e:38:2c:5f:51:43:3a:ff:6e:17:b6:b1:3b:93:01:29:
5b:28:4f:a7:ac:51:e4:22:8e:31:72:f4:89:cc:3a:37:2a:95:
dc:11:96:70:28:c7:31:25:9e:6e:7f:ce:67:e4:3d:06:6a:de:
96:df:33:32:e9:98:02:1a:a5:c6:b4:55:dc:2f:4a:2a:44:ec:
51:59:0c:a1:92:dd:83:1d:ad:2b:4f:63:a4:68:4a:7f:f6:8c:
8e:44:01:d6:60:95:8a:f1:dc:d4:7f:81:bc:36:12:15:5b:78:
57:8d
$ openssl x509 -noout -in issuer.pem -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 18284349327322698662 (0xfdbf0ed6ac38d3a6)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
Validity
Not Before: Oct 7 08:40:29 2014 GMT
Not After : Oct 7 08:40:29 2015 GMT
Subject: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:bc:b7:71:69:93:a3:17:ed:29:e3:c6:32:ac:18:
7d:ec:ea:88:0b:51:ef:4b:0e:16:7b:77:a8:cf:e2:
72:4b:0c:94:e7:08:17:9f:a0:22:2c:ac:cb:0b:89:
26:04:59:75:46:c2:56:b6:81:b5:1c:26:f1:eb:8d:
af:17:08:25:14:72:2b:b0:91:f6:12:7f:a4:9f:41:
e0:44:1a:1f:00:60:e2:35:e5:d8:39:4c:1f:3d:97:
d5:76:4d:cf:70:c8:34:fd:06:06:6e:88:34:eb:49:
af:b9:96:71:89:c4:9b:f4:14:f5:91:32:23:67:b9:
05:d0:5c:50:0f:8f:3f:c4:d5
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
3f:c6:9c:5d:28:43:3d:8a:9c:8c:24:96:19:ec:66:97:59:a9:
70:79:c9:60:59:36:47:66:22:1a:cb:6e:8e:ac:dd:97:42:5c:
96:30:40:77:60:49:3c:07:0d:02:b2:96:c6:8d:1f:ee:62:38:
82:3c:ec:f4:d1:b2:4c:16:5e:84:fc:c8:ab:c6:b1:ac:99:82:
9a:be:3f:e4:b9:58:fd:8b:fd:9f:1e:fb:9f:39:05:11:1e:62:
f2:08:e9:ed:c5:dc:b3:ef:71:38:fa:1d:a7:9d:2d:96:c5:c9:
40:b1:cb:30:45:2f:f4:80:5b:23:0a:bf:b5:a3:5a:b4:4f:4a:
68:bf