On 23-07-2010 13:54, Brent Clark wrote:
Hiya
I installed a Cert (Signed by Comodo) for a client.
On restarting the webserver, Firefox was complaining about the new
cert, but IE and Safari was not.
A friend of mine, said I should try by downloading the intermediate
cert from Comodo. and add SSLCACertificateFile to apache.
Lo and behold it worked. No more prompt from Firefox.
The question I would like to ask is. If I run 'openssl x509 -text
cert.crt', is there anything for me to make a note of that I need to
require the intermediate cert.
Easy: The "Issuer" field is not Comodo, but the intermediary cert
you need. Then when you got it, repeat the exercise with that
certificate etc. until you get to the already trusted CA cert.
Even easier, try using the openssl verify command against the
certificate, it will complain about the missing cert if doesn't
get it as an extra option.
IE and Safari may have local copies of the extra cert or may implement
code to do the download automatically based on a URL elsewhere in the
certificate.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
