On Tue, Feb 21, 2006, Winston Ford wrote: > Yes, the current cert was bought this weekend from starfield > (godaddy). Reason being, another client site has a cert from > starfield, and IE successfully completes handshake. Site is https:// > www.shopelizabethbrady.com It is running on same machine, same > apache, Apache/1.3.33 mod_ssl/2.8.24, and same openssl, OpenSSL 0.9.7i. > > The bit about the intermediate CA certificate showing Verisign is > noteworthy. The previous cert was from Verisign, so this makes > sense. Yet the SSLCertificateChainFile /private/etc/httpd/ebg-ssl4/ > sf_issuing.crt is the same sf_issuing.crt used for > shopelizabethbrady.com, which does not show Verisign in handshake > transcript. Where might this verisignian vestige be residing? >
Well that file is the usual place. Try: openssl x509 -in whatever.crt -noout -subject and see if it says "Verisign". You could also try commenting that line out and seeing if it doesn't send it any more. If the other site has the correct intermediate CA in the trusted certificate store it would use that. If you don't have a copy of the correct intermediate CA you can get it from that other site easily enough with the -showcerts option to s_client. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
