If you cert is not signed by a cert that is trusted by popular browsers, you will have to include all certs with it in the apache server config, up to, (not necessarily including) one that browsers trust.
Now, this would generally mean all intermediate certs up to a trusted (root) cert. What you did achieved that. Remember that, IIRC, some browsers may ALREADY have common intermediate certs, so it may not be necessary for them. Also, if the cert has appropriate AIA extensions, it MAY be able to indicate where to locate the intermediate certs necessary, so they could be retrieved, (and verified against trusted certs the browser already has) but most PKI libraryies (including openssl) will not do this automatically: it would have to be a client (e.g. browser) operation to help build the trust chain. So, best practice is for the apache server to send all intermediate certs up to, but excluding, the root CA cert. It would not be wrong to send the root CA cert as well, but would take some bandwidth to do so. -----Original Message----- From: owner-openssl-us...@openssl.org on behalf of Brent Clark Sent: Fri 7/23/2010 4:54 AM To: openssl-users@openssl.org Subject: Intermediate Cert Hiya I installed a Cert (Signed by Comodo) for a client. On restarting the webserver, Firefox was complaining about the new cert, but IE and Safari was not. A friend of mine, said I should try by downloading the intermediate cert from Comodo. and add SSLCACertificateFile to apache. Lo and behold it worked. No more prompt from Firefox. The question I would like to ask is. If I run 'openssl x509 -text cert.crt', is there anything for me to make a note of that I need to require the intermediate cert. If anyone can shed some light it would be appreciated. Kind Regards Brent Clark ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
