httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Stradling <>
Subject Re: mod_ssl patch: use new OpenSSL features to autofix cert chains
Date Thu, 27 Mar 2014 16:37:42 GMT
On 26/03/14 16:46, Daniel Kahn Gillmor wrote:
> it doesn't even need to fetch the certificate itself, it could just make
> the big noisy error log say "you should fetch the cert from <AIAURL> and
> append it to <SSLCertificateChainFile>"

<AIAURL> is supposed to be DER-encoded rather than Base64-encoded, so 
the user would need to convert it using "openssl x509 -inform der -out" 
before appending it to <SSLCertificateChainFile>.

<AIAURL> is sometimes a PKCS#7 "certs only" bundle of multiple certs, 
all issued to the same Subject CA.  The certs can be extracted using 
"openssl pkcs7 -inform der -print_certs", but which one of those certs 
(if any) should the user append to <SSLCertificateChainFile> ?

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

View raw message