SUMMARY:
The problem was that the root CA had a pathlen=0, so the intermediate CA
could not be recognized. Setting pathlen=1 solved it.
Many thanks to Goetz for his help.
From: Goetz Babin-Ebell <[EMAIL PROTECTED]>
Reply-To: openssl-users@openssl.org
To: openssl-users@openssl.org
Subject: Re: Certificate chain problem
Date: Mon, 13 Jun 2005 22:40:10 +0200
Eleftheria Petraki wrote:
> Hi all,
Hello Eleftheria,
> I have generated a self signed root certification authority and an
> intermediate certification authority signed by the root CA using
openssl
> 0.9.7g. The intermediate CA signed an apache 1 with mod-ssl SSL server
> certificate. Both the root and intermediate PEM certificates are
placed
> in the file ca.crt pointed by the directive SSLCACertificateFile.
How about putting the intermediate CA-certificate in the file
ca.chain and let the directive SSLCertificateChainFile point
to it? SSLCACertificateFile is IMHO only for accepted CAs
for client authentication (so no wonder the server does not
accept the connection request, your browser does not have
an according client certificate).
Unfortunately it is not working. IE still cannot display the page and
Mozilla causes the following entry in error_log:
[Mon Jun 13 16:42:57 2005] [error] OpenSSL: error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN in
certificate not server name or identical to CA!?]
Perhaps you should start with a more basic approach:
do an
openssl s_client -connect server:443 -CAfile root.crt
(root.crt should only contain the root certificate...)
If this prints somewhere the verify error message
"unable to get local issuer certificate" the server doesn't send
the intermediate CA cert.
(this is an error, only the root cert may be omitted...)
You should insert the intermediate CE cert in the CA cert file
the directive SSLCertificateChainFile points to...
But CN is identical to server name and openssl verifies correctly the
server certificate. If both root and intermediate CA certificates are
imported in Mozilla the page is opened without problems. However the same
thing does not work in IE - the page cannot be displayed. I am realy
confused.
In your constellation s_client should print an certificate chain with
2 certificates in it...
* the root cert (from the CAfile) and
* the intermediate cert (provided by the server)
Bye
Goetz
--
DMCA: The greed of the few outweighs the freedom of the many
<< smime.p7s >>
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
