httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Cicimov <icici...@gmail.com>
Subject Re: [users@httpd] Cannot get certificate chain to work.
Date Tue, 07 Oct 2014 23:48:10 GMT
On Wed, Oct 8, 2014 at 1:59 AM, dE <de.techno@gmail.com> wrote:

>  On 10/07/14 18:12, Igor Cicimov wrote:
>
>
>
> On Tue, Oct 7, 2014 at 2:51 AM, dE <de.techno@gmail.com> wrote:
>
>> Hi.
>>
>> I'm in a situation where I got 3 certificates
>>
>> server.pem -- the end user certificate which's sent by the server to the
>> client.
>> intermediate.pem -- server.pem is signed by intermediate.pem's private
>> key.
>> issuer.pem -- intermediate.pem is signed by issuer.pem's private key.
>>
>> combined.pem is created by --
>>
>> cat server.pem intermediate.pem > combined.pem
>>
>> Issuer.pem is installed in the web browser.
>>
>> The chain is working, I can verify this via the SSL command --
>>
>> cat intermediate.pem issuer.pem > cert_bundle.pem
>> openssl verify -CAfile cert_bundle.pem server.pem
>> server.pem: OK
>>
>> However the browsers (FF, Chrome, Konqueror and wget) fail
>> authentication, claiming there are no certificates to verity server.pem's
>> signature.
>>
>> I'm using Apache 2.4.10 with the following --
>>
>> SSLCertificateFile /tmp/combined.pem
>> SSLCertificateKeyFile /tmp/server.key
>>
>>
>  Try this:
>
>  $ cat issuer.pem intermediate.pem > CA_chain.pem
>
>   SSLCertificateFile server.pem
>   SSLCertificateKeyFile server.key
>   SSLCertificateChainFile CA_chain.pem
>
>
> Tried this on Apache 2.2 (SSLCertificateChainFile does not work with 2.4)
> with the same issue.
>

Hmm in that case you have something mixed up or simply this can not work
for self signed certificates since this is exactly what I'm using on Apache
2.2.24/26 on all our company web sites: a certificate signed by CA
authority and a chain certificate file where the authorities CA and
Intermediate certs have been concatenated.

Can you show us the output of:

openssl x509 -noout -in cert.pem -text

for all your sertificates?

Mime
View raw message