On 04/03/2014 11:19 AM, Thomas J. Hruska wrote: > This works fine: > > http://opensslfoundation.org/ > > > This raises a certificate warning (Firefox): > > https://opensslfoundation.org/ > > opensslfoundation.org uses an invalid security certificate. The > certificate is not trusted because no issuer chain was provided. The > certificate is only valid for the following names: > www.opensslfoundation.com , opensslfoundation.net , wiki.openssl.org > (Error code: sec_error_unknown_issuer) > > > Switching to the .com variant, it also raises a certificate warning: > > www.opensslfoundation.com uses an invalid security certificate. The > certificate is not trusted because no issuer chain was provided. (Error > code: sec_error_unknown_issuer) > > > Bad server configuration or is the problem on my end?
We're "squatting" on the opensslfoundation.org FQDN but don't use it in preference to opensslfoundation.com which emphasizes the commercial aspect of the OpenSSL Software Foundation (OSF). The issuer of the server cert is a self-signed root. That was done deliberately so as to not implicitly endorse any of the commercial CAs that have their certs preloaded in browser keystores. So the Firefox "issuer is unknown" warning is expected. If it makes you actually think about the authenticity of the server so much the better, it's not like the pre-load keystores constitute a very exclusive club. The "opensslfoundation.com" name should be in the cert. I'll put it on my list... -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
