Re: Intermediate root CA's -- lost and confused :(

Mon, 13 Sep 2010 19:20:25 -0700 

 Hi Paul,
Can you test the SSLCertificateChainFile instructions from the following site : http://www.cam.ac.uk/cs/tlscerts/deploying-thawte.html? Your problem could come from the fact that your Apache SSLCertificateChainFile configuration is missing the Thawte Cross Root CA that links "thawte Primary Root CA" to "Thawte Premium Server CA". 

--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

On 9/14/2010 3:32 AM, Paul B. Henson wrote:

On Mon, 13 Sep 2010, Tim Hudson wrote:


Try gnutls without the TLS extensions processing occurring and you will
see that the server is not sending back the certificate chain:

Hmm, so the server isn't volunteering the chain, but if the client is smart
enough to ask for it it will provide it :)?


This fails. You need to correct your server configuration so that it
correctly sends out the chain.

I'm using bog-standard apache with mod_ssl, currently version 2.2.14. The
instructions from Thawte were to use the SSLCACertificateFile directive in
the config pointing to a file they provided containing two certs (the
"thawte Primary Root CA" followed by the "Thawte SSL CA"). My server cert
is signed by the "Thawte SSL CA", and my openssl client has the "Thawte
Premium Server CA" cert installed on it.

This didn't work, as you point out it seems the server is not sending the
chain. Per an off list discussion, I've changed my config and am now using
the SSLCertificateChainFile directive instead (which seems to be the better
way to do it). I also reversed the order of the certs in the file per a
forum thread I found indicating they should be in order of verification.

That's still not working, no chain from the server.

Presumably somebody has one of these new Thawte certs installed under
apache working correctly, could one of those somebodies possibly post what
apache configuration directives they are using, and what certificates in
what order are present in the intermediate ca file they are using? That
would be greatly appreciated :).

Thanks...




______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to