Re: [users@httpd] Cannot get certificate chain to work.

Fri, 10 Oct 2014 03:32:32 -0700 

On 10/09/14 23:47, Christopher Schultz wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

De,

On 10/7/14 11:27 PM, dE wrote:

$ openssl x509 -noout -in server.pem -text Certificate: Data:
Version: 1 (0x0) Serial Number: 13192573755114198537
(0xb7156feedab91609) Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=intermediate, CN=intermediate
Validity Not Before: Oct  7 08:43:42 2014 GMT Not After : Oct  2
08:43:42 2015 GMT Subject: C=AU, ST=Some-State, O=server, OU=IT,
CN=server Subject Public Key Info: Public Key Algorithm:
rsaEncryption Public-Key: (1024 bit)

1024-bit keys?

Perhaps the browsers are smart enough not to trust those.


$ openssl x509 -noout -in intermediate.pem -text Certificate:
Data: Version: 1 (0x0) Serial Number: 11894061023072807904
(0xa510317ba912ebe0) Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
Validity Not Before: Oct  7 08:42:05 2014 GMT Not After : Oct  2
08:42:05 2015 GMT Subject: C=AU, ST=Some-State, O=intermediate,
CN=intermediate Subject Public Key Info: Public Key Algorithm:
rsaEncryption Public-Key: (1024 bit)

Hmm.


$ openssl x509 -noout -in issuer.pem -text Certificate: Data:
Version: 1 (0x0) Serial Number: 18284349327322698662
(0xfdbf0ed6ac38d3a6) Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
Validity Not Before: Oct  7 08:40:29 2014 GMT Not After : Oct  7
08:40:29 2015 GMT Subject: C=AU, ST=Some-State, O=issuer,
OU=signing, CN=issuer Subject Public Key Info: Public Key
Algorithm: rsaEncryption Public-Key: (1024 bit)

Maybe try again with 2048-bit keys or better?

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUNtE+AAoJEBzwKT+lPKRY+s8QALlighVIWTi27FSczUKYSPmN
dlH6Ltz01C8jthaKNSA1jR3tUzx3lVqvnHbTTX0V6Y/n/rBT9E4/ZUSqND6MLBNE
4nwP2kG3EStCNSk2rt0Xv7iGdzIzi5zLftPfnlzzZoqBZdUc36qKDjzJVeMq79L7
YyamixmrFN9mPI1V5FcazYIKKOU9p5Ok9g+9OPBWi6SOKilwGE9F8maU75Ale1ys
N+pPjUj84RukGK7uWPKqmrC/GewhGaUABaaAUFkPcxIPha3asPzWam5Zxp/MTW41
RDOGUImLaonI4F25BGxJIb7hQlBX8pN6TWtFoEAf0srP0k4M9zLB1G9+cWbgEdiv
O67F99WZdb2PP6MJp3RMrvhnv4W46AA2cByWEuMo40zY3Et//zhkW1AO/VfkzFrD
syGTBGQIBHGaRVfrJMs40rgatwPb5FwaPu8Us7HtStblZ7clqXAXJtLLp63N1pip
+VocquaX7A0VcibiQ+YY89+pIYwulvonXCnQ9YUTfVR4bTDQs3T8BFjoekOTyByW
M2mVgjNLpZmJ5KjtLbm7mKOVde3qip48TSIJXg2STq6+P3+sUbRGLc8l2kl4WOK0
8oQ5dnOMi/hsO4W2+MExiKWSfrP/DDyMIG6AS2/7KZP0pdWoEn5bmNl19yNKzW/f
XoaM5WiTbUDSdux9TEvS
=KBTz
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
Yeah, I'll try 4096. That's the standard. But it did work when only intermediate.pem was sent by the server and issuer.pem was installed in the browser. 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to