httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron W Morris <>
Subject Re: [users@httpd] Intermediate SSL cert problem with Apache 2.0.43
Date Sun, 11 Jan 2004 21:12:45 GMT
Turner, John wrote:

> Hi -
> I have a running installation of Apache 2.0.43, with SSL.  I have a Verisign
> certificate that expires in Aug 2004.  I've followed the installation
> description at Verisign (found here:
> exactly.
> My SSL configuration in httpd.conf looks like this, for a single virtual
> host (no other hosts are currently running, HTTP or HTTPS):
> SSLEngine on
> SSLCertificateFile /usr/local/apache2/conf/ssl.key/domain.crt
> SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/domain.key
> SSLCertificateChainFile
> /usr/local/apache2/conf/ssl.key/verisign-intermediate.crt
> The certificate contained in verisign-intermediate.crt is the certificate
> from this URL: as
> specified in the installation instructions.
> My Problem: browsing to my domain with IE 6 sets up a successful SSL
> connection without errors or other alerts.  However, using Mozilla as well
> as "openssl s_client -connect" generates errors about not
> being able to verify the certificate.
> The specific messages returned by openssl are: "num=20:unable to get local
> issuer certificate" and "num=21:unable to verify the first certificate".
> I'm pretty stumped, and a morning spent searching Google and reading all
> sorts of archived posts hasn't led me any closer to a solution. 
> Is IE broken (please no rants, flames, or sarcasm) and its just assuming the
> certificate is valid because Apache is not sending the intermediate cert?
> How do I verify Apache is sending the certs, including the intermediate
> cert?
> If openssl isn't happy, it seems Apache isn't sending the intermediate cert,
> if this is true, and my configuration is wrong, how do I fix it?  I did see
> one post
> (
> where the poster upgraded his Apache installation to 2.0.48 and got rid of
> the same this the only solution?  
> - John
> ============================================
> John Turner
> | 248-488-3466
> Advertising Audit Service

This might have something to do with the recently expired Verisign CA 
certificate.  Check the expiration of your public CA signing certificate.

Aaron W Morris <> (decep)

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message