httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dE <de.tec...@gmail.com>
Subject Re: [users@httpd] Cannot get certificate chain to work.
Date Thu, 09 Oct 2014 05:11:52 GMT
On 10/09/14 03:29, Igor Cicimov wrote:
>
>
> On 09/10/2014 3:46 AM, "dE" <de.techno@gmail.com 
> <mailto:de.techno@gmail.com>> wrote:
> >
> > On 10/08/14 21:36, Eric Covener wrote:
> >>
> >>
> >> On Wed, Oct 8, 2014 at 12:00 PM, dE <de.techno@gmail.com 
> <mailto:de.techno@gmail.com>> wrote:
> >>>
> >>> intermediate.pem must get installed automatically in the browsers 
> (at least in FF), but instead these browsers don't see the certificate.
> >>
> >>
> >> No, servers are expected to transmit the intermediate certificates.
> >>
> >
> > Yes, they get installed automatically after it's transmitted by the 
> server.
> >
> > Try a fresh FF profile. It'll not have any Microsoft (or MSIT) 
> certificates. Open Microsoft.com and you'll get a bunch of Microsoft 
> certificates installed in your certificate manager.
> >
> > Actually the problem is with intermediate.pem. I can't install it in 
> any of the web browser under the issuer.pem certificate. But openSSL 
> says it's 'verified'.
> >
> > This problem is out of scope of Apache.
>
> Weird. And this happens both in ff and chrome? Would be interesting if 
> you can test with different (older) versions of ff and chrome might be 
> the newer ones have some restrictions in terms of signatures or 
> something. May I ask how did you generate the certificates? From what 
> you sent I couldn't see anything wrong with them though but will have 
> another look.
> That said the browsers behave as expected with all ca authority signed 
> certificates I've been using.
>

Yes both FF and Chrome. BUT this works for KDE certificate management.

This's how they were generated --

openssl genpkey -out issuer.key -algorithm rsa
openssl genpkey -out intermediate.key -algorithm rsa
openssl genpkey -out server.key -algorithm rsa
openssl req -new -key issuer.key -out issuer.csr
openssl req -new -key server.key -out server.csr
openssl req -new -key intermediate.key -out intermediate.csr
openssl x509 -req -days 365 -in issuer.csr -signkey issuer.key -out 
issuer.pem
openssl x509 -req -days 360 -in intermediate.csr -CA issuer.pem -CAkey 
issuer.key -CAcreateserial -out intermediate.pem
openssl x509 -req -days 360 -in server.csr -CA intermediate.pem -CAkey 
intermediate.key -CAcreateserial -out server.pem

I'll see this with older version.

Mime
View raw message