httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dE <de.tec...@gmail.com>
Subject Re: [users@httpd] Cannot get certificate chain to work.
Date Tue, 07 Oct 2014 09:25:05 GMT
On 10/06/14 22:26, Daniel wrote:
> I found myself in a similar situation and I couldn't find the reason 
> but I did find a workaround.
>
> To work around this, make a pkcs12 file with all files in it, your 
> private key and the whole chain up until the root CA certificate, then 
> extract them back out from that pkcs12, using the extracted files.
>
> My similar issue happened when I was generating the key and csr with 
> openssl  and someone else was signing my request with another 
> software, all modulus matched, everything, but still for browsers the 
> chain was not correctly constructed. I worked around it with the 
> method I mention before.
>
> Until someone can tell you what may really be happening this may be 
> worth a try for you.
>
> Good luck.
>
> 2014-10-06 17:51 GMT+02:00 dE <de.techno@gmail.com 
> <mailto:de.techno@gmail.com>>:
>
>     Hi.
>
>     I'm in a situation where I got 3 certificates
>
>     server.pem -- the end user certificate which's sent by the server
>     to the client.
>     intermediate.pem -- server.pem is signed by intermediate.pem's
>     private key.
>     issuer.pem -- intermediate.pem is signed by issuer.pem's private key.
>
>     combined.pem is created by --
>
>     cat server.pem intermediate.pem > combined.pem
>
>     Issuer.pem is installed in the web browser.
>
>     The chain is working, I can verify this via the SSL command --
>
>     cat intermediate.pem issuer.pem > cert_bundle.pem
>     openssl verify -CAfile cert_bundle.pem server.pem
>     server.pem: OK
>
>     However the browsers (FF, Chrome, Konqueror and wget) fail
>     authentication, claiming there are no certificates to verity
>     server.pem's signature.
>
>     I'm using Apache 2.4.10 with the following --
>
>     SSLCertificateFile /tmp/combined.pem
>     SSLCertificateKeyFile /tmp/server.key
>
>     I can attach *.pem if you want.
>
>     Thanks for any assistance.
>
>     ---------------------------------------------------------------------
>     To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>     <mailto:users-unsubscribe@httpd.apache.org>
>     For additional commands, e-mail: users-help@httpd.apache.org
>     <mailto:users-help@httpd.apache.org>
>
>

I used the following command to create the bundle --

openssl pkcs12 -export -in server.pem -inkey server.key -in 
intermediate.pem -inkey intermediate.key -out bundle.p12 -name bundle 
-CAfile issuer.pem -caname issuer -chain

To extract --

openssl pkcs12 -in ../bundle.p12 -out all_combined.pem -nodes

But, when using all_combined.pem as SSLCertificateFile, I get --

[Tue Oct 07 14:50:12.760273 2014] [ssl:emerg] [pid 8357:tid 
140531695941504] AH02565: Certificate and private key httpd:443:0 from 
/home/all_combined.pem and /homecertificate_chaining_test/server.key do 
not match

Mime
View raw message