httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dE <de.tec...@gmail.com>
Subject Re: [users@httpd] Cannot get certificate chain to work.
Date Fri, 10 Oct 2014 17:56:16 GMT
On 10/10/14 19:00, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> dE,
>
> On 10/10/14 6:30 AM, dE wrote:
>> On 10/09/14 23:47, Christopher Schultz wrote: De,
>>
>> On 10/7/14 11:27 PM, dE wrote:
>>>>> $ openssl x509 -noout -in server.pem -text Certificate:
>>>>> Data: Version: 1 (0x0) Serial Number: 13192573755114198537
>>>>> (0xb7156feedab91609) Signature Algorithm:
>>>>> sha1WithRSAEncryption Issuer: C=AU, ST=Some-State,
>>>>> O=intermediate, CN=intermediate Validity Not Before: Oct  7
>>>>> 08:43:42 2014 GMT Not After : Oct  2 08:43:42 2015 GMT
>>>>> Subject: C=AU, ST=Some-State, O=server, OU=IT, CN=server
>>>>> Subject Public Key Info: Public Key Algorithm: rsaEncryption
>>>>> Public-Key: (1024 bit)
>> 1024-bit keys?
>>
>> Perhaps the browsers are smart enough not to trust those.
>>
>>>>> $ openssl x509 -noout -in intermediate.pem -text
>>>>> Certificate: Data: Version: 1 (0x0) Serial Number:
>>>>> 11894061023072807904 (0xa510317ba912ebe0) Signature
>>>>> Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=Some-State,
>>>>> O=issuer, OU=signing, CN=issuer Validity Not Before: Oct  7
>>>>> 08:42:05 2014 GMT Not After : Oct  2 08:42:05 2015 GMT
>>>>> Subject: C=AU, ST=Some-State, O=intermediate, CN=intermediate
>>>>> Subject Public Key Info: Public Key Algorithm: rsaEncryption
>>>>> Public-Key: (1024 bit)
>> Hmm.
>>
>>>>> $ openssl x509 -noout -in issuer.pem -text Certificate:
>>>>> Data: Version: 1 (0x0) Serial Number: 18284349327322698662
>>>>> (0xfdbf0ed6ac38d3a6) Signature Algorithm:
>>>>> sha1WithRSAEncryption Issuer: C=AU, ST=Some-State, O=issuer,
>>>>> OU=signing, CN=issuer Validity Not Before: Oct  7 08:40:29
>>>>> 2014 GMT Not After : Oct  7 08:40:29 2015 GMT Subject: C=AU,
>>>>> ST=Some-State, O=issuer, OU=signing, CN=issuer Subject Public
>>>>> Key Info: Public Key Algorithm: rsaEncryption Public-Key:
>>>>> (1024 bit)
>> Maybe try again with 2048-bit keys or better?
>>
>> -chris
>>> ---------------------------------------------------------------------
>>>
>>>
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>> Yeah, I'll try 4096. That's the standard. But it did work when
>> only intermediate.pem was sent by the server and issuer.pem was
>> installed in the browser.
> You might want to check using SSL Labs' server scanner. It will tell
> you exactly what the server is sending, whether they are in the right
> order, at what level they are trusted, and give you advice about how
> to improve the configuration.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUN991AAoJEBzwKT+lPKRY9hYQAJ7tNxFSnI6KtRk2XdjCceQI
> tT6HFp3dxUk+JPffjAmJGamYGhMD5E11IsqLa+GT25u+ULsRfoV7ovVcOiQtvC1E
> HdKpDxeN4VUVzESRWPeBE+SdATRwpu2fJsSQ9bLfFS6Mw9Cj0GJMp9wRRWAhxz+/
> TyIhxRsTruc6Y8e2r+/M+p/QaO49/FknJpISb9m/xoKqaVg6eiMxfnDBJeJ63p0T
> u7j2wOuQDvZlW7nSRUnp4M/Z3NbIwdJAlxDnZ4d9S8tvTLESQaJpoFxhsutOdK/X
> 82pIPbsoZeP5CvBuZ/f3iISrVqEkYh9uJCawj+tdniYrrsXnOKL5diE2SMrzXmXD
> ecL+YhNedFzQp+MHVtNgHtK/ZEc35/HmnEp9qDQP3O9KmEh8y4m/qFchRP1a5EzL
> KYhS7VpV1cagmvh6vg1+3GoJcGSshdKEgQYSYQnK6KuaD+A/EZvio1eeXvdF/EWx
> 2M/8PsEi13vpf5Ev5RmfDF8ma6yO7QhXAzTCcFpGNqRD4J1mjkUxCtfkG+JydlQc
> TbDRpVFmKeo5NTZAIoIZ8br2F9RMSdV8prVOytt0Yfd+cpFZyCTr+bfq9U+rkS1p
> REuUrQvWGMlOPvr35KHXqjKmu78K0bxCapGqmzxrx2LRcHb5tnkM9CLSVvjTnfWI
> 9Xufi+4JpiEBBO43tmSX
> =seHs
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

I tried 4096 with the same problem

openssl verify -CAfile issuer.pem intermediate.pem intermediate.pem: OK

intermediate.pem does not import. First I've to try to get them imported 
before putting them on the server. Otherwise it's pointless (it'll 
always fail).

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message