On Tue, Sep 13, 2016 at 09:50:43AM +0200, Robert Klein wrote: > Did you try to /append/ the intermediate certificate(s) to the server > certificate? That worked for me on OpenBSD 6.0's httpd.
Yes. Uncanny timing on your mail -- I just got it to work. httpd(8) needs the intermediate certificate to be at the *bottom* of the combined certificate, the opposite of what I'm used to. To clarify for future readers: if you want to provide an intermediate certificate with OpenBSD httpd, your /etc/ssl/server.crt files should look like this: -----BEGIN CERTIFICATE----- <your cert> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <intermediate cert> -----END CERTIFICATE----- > An explanation might be the documentation to the > SSL_CTX_use_certificate_chain_XXX functions used: > > The SSL_CTX_use_certificate_chain*() functions load a certificate > chain into ctx. The certificates must be in PEM format and must > be sorted starting with the subject's certificate (actual client > or server certificate), followed by intermediate CA certificates > if applicable, and ending at the highest level (root) CA. There > is no corresponding function working on a single SSL object. I (myopically) missed this. > Best regards > Robert
