On 10/10/14 19:00, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
dE,
On 10/10/14 6:30 AM, dE wrote:
On 10/09/14 23:47, Christopher Schultz wrote: De,
On 10/7/14 11:27 PM, dE wrote:
$ openssl x509 -noout -in server.pem -text Certificate:
Data: Version: 1 (0x0) Serial Number: 13192573755114198537
(0xb7156feedab91609) Signature Algorithm:
sha1WithRSAEncryption Issuer: C=AU, ST=Some-State,
O=intermediate, CN=intermediate Validity Not Before: Oct 7
08:43:42 2014 GMT Not After : Oct 2 08:43:42 2015 GMT
Subject: C=AU, ST=Some-State, O=server, OU=IT, CN=server
Subject Public Key Info: Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
1024-bit keys?
Perhaps the browsers are smart enough not to trust those.
$ openssl x509 -noout -in intermediate.pem -text
Certificate: Data: Version: 1 (0x0) Serial Number:
11894061023072807904 (0xa510317ba912ebe0) Signature
Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=Some-State,
O=issuer, OU=signing, CN=issuer Validity Not Before: Oct 7
08:42:05 2014 GMT Not After : Oct 2 08:42:05 2015 GMT
Subject: C=AU, ST=Some-State, O=intermediate, CN=intermediate
Subject Public Key Info: Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Hmm.
$ openssl x509 -noout -in issuer.pem -text Certificate:
Data: Version: 1 (0x0) Serial Number: 18284349327322698662
(0xfdbf0ed6ac38d3a6) Signature Algorithm:
sha1WithRSAEncryption Issuer: C=AU, ST=Some-State, O=issuer,
OU=signing, CN=issuer Validity Not Before: Oct 7 08:40:29
2014 GMT Not After : Oct 7 08:40:29 2015 GMT Subject: C=AU,
ST=Some-State, O=issuer, OU=signing, CN=issuer Subject Public
Key Info: Public Key Algorithm: rsaEncryption Public-Key:
(1024 bit)
Maybe try again with 2048-bit keys or better?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
Yeah, I'll try 4096. That's the standard. But it did work when
only intermediate.pem was sent by the server and issuer.pem was
installed in the browser.
You might want to check using SSL Labs' server scanner. It will tell
you exactly what the server is sending, whether they are in the right
order, at what level they are trusted, and give you advice about how
to improve the configuration.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUN991AAoJEBzwKT+lPKRY9hYQAJ7tNxFSnI6KtRk2XdjCceQI
tT6HFp3dxUk+JPffjAmJGamYGhMD5E11IsqLa+GT25u+ULsRfoV7ovVcOiQtvC1E
HdKpDxeN4VUVzESRWPeBE+SdATRwpu2fJsSQ9bLfFS6Mw9Cj0GJMp9wRRWAhxz+/
TyIhxRsTruc6Y8e2r+/M+p/QaO49/FknJpISb9m/xoKqaVg6eiMxfnDBJeJ63p0T
u7j2wOuQDvZlW7nSRUnp4M/Z3NbIwdJAlxDnZ4d9S8tvTLESQaJpoFxhsutOdK/X
82pIPbsoZeP5CvBuZ/f3iISrVqEkYh9uJCawj+tdniYrrsXnOKL5diE2SMrzXmXD
ecL+YhNedFzQp+MHVtNgHtK/ZEc35/HmnEp9qDQP3O9KmEh8y4m/qFchRP1a5EzL
KYhS7VpV1cagmvh6vg1+3GoJcGSshdKEgQYSYQnK6KuaD+A/EZvio1eeXvdF/EWx
2M/8PsEi13vpf5Ev5RmfDF8ma6yO7QhXAzTCcFpGNqRD4J1mjkUxCtfkG+JydlQc
TbDRpVFmKeo5NTZAIoIZ8br2F9RMSdV8prVOytt0Yfd+cpFZyCTr+bfq9U+rkS1p
REuUrQvWGMlOPvr35KHXqjKmu78K0bxCapGqmzxrx2LRcHb5tnkM9CLSVvjTnfWI
9Xufi+4JpiEBBO43tmSX
=seHs
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
I tried 4096 with the same problem
openssl verify -CAfile issuer.pem intermediate.pem intermediate.pem: OK
intermediate.pem does not import. First I've to try to get them imported
before putting them on the server. Otherwise it's pointless (it'll
always fail).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
