I don't know if this is directly relevant, but the ONLY way I could make the Apache SSLCertificateChainFile capability work was to put ..............................^^^^^ the server certificate and both the intermediate certificates into the file in this specific order:
Server Certificate First Intermediate Second Intermediate
that is, the order in which they would be needed during verification.
Since "certificate_chain_file" is in the subroutine name, ...................^^^^^ I thought this might be something you could try...
David Luyer wrote:
I'm having a problem trying to get a chained certificate to work with uw-imapd. It works fine with apache-ssl and apache + mod_ssl. On uw-imapd (which uses openssl) it fails as the CA certificate is not presented (so the mail client gives a warning), or if I try and present it OpenSSL rejects the key (and imapd completely fails).
What kind of chain does "openssl s_client -showcerts" report? I think this is a really good diagnostic tool in these cases.
uw-imapd does the following (ignoring support for per-IP certs):
* by default:
tmp=/etc/ssl/certs/imapd.pem
SSL_CTX_use_certificate_chain_file (stream->context,tmp)
SSL_CTX_use_RSAPrivateKey_file (stream->context,tmp,SSL_FILETYPE_PEM)
* on debian:
tmpcrt=/etc/ssl/certs/imapd.pem
tmpkey=/etc/ssl/private/imapd.pem [if it exists, else use tmpcrt]
SSL_CTX_use_certificate_chain_file (stream->context,tmpcrt)
SSL_CTX_use_RSAPrivateKey_file (stream->context,tmpkey,SSL_FILETYPE_PEM)
I'm a Debian user too...
David Luyer Phone: +61 3 9674 7525 Network Development Manager P A C I F I C Fax: +61 3 9698 4825 Pacific Internet (Australia) I N T E R N E T Mobile: +61 4 1111 BYTE http://www.pacific.net.au/ NASDAQ: PCNTF
-- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
