On 10/09/14 03:29, Igor Cicimov wrote:
On 09/10/2014 3:46 AM, "dE" <de.tec...@gmail.com
<mailto:de.tec...@gmail.com>> wrote:
> On 10/08/14 21:36, Eric Covener wrote:
>> On Wed, Oct 8, 2014 at 12:00 PM, dE <de.tec...@gmail.com
<mailto:de.tec...@gmail.com>> wrote:
>>> intermediate.pem must get installed automatically in the browsers
(at least in FF), but instead these browsers don't see the certificate.
>> No, servers are expected to transmit the intermediate certificates.
> Yes, they get installed automatically after it's transmitted by the
> Try a fresh FF profile. It'll not have any Microsoft (or MSIT)
certificates. Open Microsoft.com and you'll get a bunch of Microsoft
certificates installed in your certificate manager.
> Actually the problem is with intermediate.pem. I can't install it in
any of the web browser under the issuer.pem certificate. But openSSL
says it's 'verified'.
> This problem is out of scope of Apache.
Weird. And this happens both in ff and chrome? Would be interesting if
you can test with different (older) versions of ff and chrome might be
the newer ones have some restrictions in terms of signatures or
something. May I ask how did you generate the certificates? From what
you sent I couldn't see anything wrong with them though but will have
another look.
That said the browsers behave as expected with all ca authority signed
certificates I've been using.
Yes both FF and Chrome. BUT this works for KDE certificate management.
This's how they were generated --
openssl genpkey -out issuer.key -algorithm rsa
openssl genpkey -out intermediate.key -algorithm rsa
openssl genpkey -out server.key -algorithm rsa
openssl req -new -key issuer.key -out issuer.csr
openssl req -new -key server.key -out server.csr
openssl req -new -key intermediate.key -out intermediate.csr
openssl x509 -req -days 365 -in issuer.csr -signkey issuer.key -out
openssl x509 -req -days 360 -in intermediate.csr -CA issuer.pem -CAkey
issuer.key -CAcreateserial -out intermediate.pem
openssl x509 -req -days 360 -in server.csr -CA intermediate.pem -CAkey
intermediate.key -CAcreateserial -out server.pem
I'll see this with older version.