httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel <dferra...@gmail.com>
Subject Re: [users@httpd] Cannot get certificate chain to work.
Date Mon, 06 Oct 2014 16:56:21 GMT
I found myself in a similar situation and I couldn't find the reason but I
did find a workaround.

To work around this, make a pkcs12 file with all files in it, your private
key and the whole chain up until the root CA certificate, then extract them
back out from that pkcs12, using the extracted files.

My similar issue happened when I was generating the key and csr with
openssl  and someone else was signing my request with another software, all
modulus matched, everything, but still for browsers the chain was not
correctly constructed. I worked around it with the method I mention before.

Until someone can tell you what may really be happening this may be worth a
try for you.

Good luck.

2014-10-06 17:51 GMT+02:00 dE <de.techno@gmail.com>:

> Hi.
>
> I'm in a situation where I got 3 certificates
>
> server.pem -- the end user certificate which's sent by the server to the
> client.
> intermediate.pem -- server.pem is signed by intermediate.pem's private key.
> issuer.pem -- intermediate.pem is signed by issuer.pem's private key.
>
> combined.pem is created by --
>
> cat server.pem intermediate.pem > combined.pem
>
> Issuer.pem is installed in the web browser.
>
> The chain is working, I can verify this via the SSL command --
>
> cat intermediate.pem issuer.pem > cert_bundle.pem
> openssl verify -CAfile cert_bundle.pem server.pem
> server.pem: OK
>
> However the browsers (FF, Chrome, Konqueror and wget) fail authentication,
> claiming there are no certificates to verity server.pem's signature.
>
> I'm using Apache 2.4.10 with the following --
>
> SSLCertificateFile /tmp/combined.pem
> SSLCertificateKeyFile /tmp/server.key
>
> I can attach *.pem if you want.
>
> Thanks for any assistance.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message