> It sounds like some clients have the correct intermediate certificate(s) > installed and some do not. > > They should select the certificate, click the "view" button and see if the > certificate path is complete (i.e. it says it is OK).
On systems (XP and some Win7) where the user can access the site the cert chain is short: DoD Root CA2 -> DOD CA-24 -> Smith.John.1234567890 On the Windows 7 systems where the user CANNOT access the site, the cert chain is long: Common Policy -> SHA-1 Federal Root CA -> DoD Interoperability Root CA 1 -> DoD Root CA2 -> DOD CA-24 -> Smith.John.1234567890 Users on those systems cannot access the site. If, however, I remove the first three certs from their intermediate certification authorities list in IE, the user can access the site. Is there something I can so on my servers so that it will tolerate the long cert chain? SSLVerifyDepth is currently set to 5. Increase to 6 or more? Do I need to add Common Policy, SHA-1 Federal Root CA and DoD Interoperability Root CA certs to my cert file on the server? Curtis N. Tammany ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
