httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dE <de.tec...@gmail.com>
Subject Re: [users@httpd] Cannot get certificate chain to work.
Date Fri, 10 Oct 2014 10:30:41 GMT
On 10/09/14 23:47, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> De,
>
> On 10/7/14 11:27 PM, dE wrote:
>> $ openssl x509 -noout -in server.pem -text Certificate: Data:
>> Version: 1 (0x0) Serial Number: 13192573755114198537
>> (0xb7156feedab91609) Signature Algorithm: sha1WithRSAEncryption
>> Issuer: C=AU, ST=Some-State, O=intermediate, CN=intermediate
>> Validity Not Before: Oct  7 08:43:42 2014 GMT Not After : Oct  2
>> 08:43:42 2015 GMT Subject: C=AU, ST=Some-State, O=server, OU=IT,
>> CN=server Subject Public Key Info: Public Key Algorithm:
>> rsaEncryption Public-Key: (1024 bit)
> 1024-bit keys?
>
> Perhaps the browsers are smart enough not to trust those.
>
>> $ openssl x509 -noout -in intermediate.pem -text Certificate:
>> Data: Version: 1 (0x0) Serial Number: 11894061023072807904
>> (0xa510317ba912ebe0) Signature Algorithm: sha1WithRSAEncryption
>> Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
>> Validity Not Before: Oct  7 08:42:05 2014 GMT Not After : Oct  2
>> 08:42:05 2015 GMT Subject: C=AU, ST=Some-State, O=intermediate,
>> CN=intermediate Subject Public Key Info: Public Key Algorithm:
>> rsaEncryption Public-Key: (1024 bit)
> Hmm.
>
>> $ openssl x509 -noout -in issuer.pem -text Certificate: Data:
>> Version: 1 (0x0) Serial Number: 18284349327322698662
>> (0xfdbf0ed6ac38d3a6) Signature Algorithm: sha1WithRSAEncryption
>> Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
>> Validity Not Before: Oct  7 08:40:29 2014 GMT Not After : Oct  7
>> 08:40:29 2015 GMT Subject: C=AU, ST=Some-State, O=issuer,
>> OU=signing, CN=issuer Subject Public Key Info: Public Key
>> Algorithm: rsaEncryption Public-Key: (1024 bit)
> Maybe try again with 2048-bit keys or better?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUNtE+AAoJEBzwKT+lPKRY+s8QALlighVIWTi27FSczUKYSPmN
> dlH6Ltz01C8jthaKNSA1jR3tUzx3lVqvnHbTTX0V6Y/n/rBT9E4/ZUSqND6MLBNE
> 4nwP2kG3EStCNSk2rt0Xv7iGdzIzi5zLftPfnlzzZoqBZdUc36qKDjzJVeMq79L7
> YyamixmrFN9mPI1V5FcazYIKKOU9p5Ok9g+9OPBWi6SOKilwGE9F8maU75Ale1ys
> N+pPjUj84RukGK7uWPKqmrC/GewhGaUABaaAUFkPcxIPha3asPzWam5Zxp/MTW41
> RDOGUImLaonI4F25BGxJIb7hQlBX8pN6TWtFoEAf0srP0k4M9zLB1G9+cWbgEdiv
> O67F99WZdb2PP6MJp3RMrvhnv4W46AA2cByWEuMo40zY3Et//zhkW1AO/VfkzFrD
> syGTBGQIBHGaRVfrJMs40rgatwPb5FwaPu8Us7HtStblZ7clqXAXJtLLp63N1pip
> +VocquaX7A0VcibiQ+YY89+pIYwulvonXCnQ9YUTfVR4bTDQs3T8BFjoekOTyByW
> M2mVgjNLpZmJ5KjtLbm7mKOVde3qip48TSIJXg2STq6+P3+sUbRGLc8l2kl4WOK0
> 8oQ5dnOMi/hsO4W2+MExiKWSfrP/DDyMIG6AS2/7KZP0pdWoEn5bmNl19yNKzW/f
> XoaM5WiTbUDSdux9TEvS
> =KBTz
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

Yeah, I'll try 4096. That's the standard. But it did work when only 
intermediate.pem was sent by the server and issuer.pem was installed in 
the browser.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message