Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E45A517C3B for ; Thu, 9 Oct 2014 05:12:46 +0000 (UTC) Received: (qmail 89981 invoked by uid 500); 9 Oct 2014 05:12:42 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 89939 invoked by uid 500); 9 Oct 2014 05:12:41 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 89923 invoked by uid 99); 9 Oct 2014 05:12:41 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 09 Oct 2014 05:12:41 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of de.techno@gmail.com designates 209.85.218.51 as permitted sender) Received: from [209.85.218.51] (HELO mail-oi0-f51.google.com) (209.85.218.51) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 09 Oct 2014 05:12:13 +0000 Received: by mail-oi0-f51.google.com with SMTP id h136so1127674oig.24 for ; Wed, 08 Oct 2014 22:12:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type; bh=Yp96b80mc2dDRHwKwEW87TvDU71ar9Je1PH3gQLbgVo=; b=0FqwQLOz3VgPCFVNY5vk+Po7Optvhm2MqO0Fu5NcvKhDLboIBYTATl9QFxdBtb1uQI 9NK/+A+7GiqOqJbmw0uImmWL3NCQMM630bdJzpo8w7QGNzcIQL+kOIRX38TgghzDqB9U 3IOwN+MPa05DDjIcGYiahv7sy9nUOK5OaR3DmDLIzgJ+XlSshEvSq9yFYyeaiofAUqef oZtOWmfijQaO3aHwfOM6ZDjUX130kidky/Z5kGILOM1VpEP3nDIXDyHhmTfcqopTLBeY 8FG4zoGEJjai2DMTwnNtEoaPJrAB9ypFDMAT6IMCFcCuh2DvVe91fpDAk5fgOEMamlx9 9W8g== X-Received: by 10.60.124.115 with SMTP id mh19mr18717644oeb.40.1412831532507; Wed, 08 Oct 2014 22:12:12 -0700 (PDT) Received: from [192.168.1.2] ([59.89.19.254]) by mx.google.com with ESMTPSA id 2sm2306391obq.29.2014.10.08.22.12.10 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 08 Oct 2014 22:12:11 -0700 (PDT) Message-ID: <54361918.3010702@gmail.com> Date: Thu, 09 Oct 2014 10:41:52 +0530 From: dE User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.8.0 MIME-Version: 1.0 To: users@httpd.apache.org References: <5432BA8D.1020903@gmail.com> <5433FFDB.4050504@gmail.com> <5434AF0B.80007@gmail.com> <5434E1B2.6070007@gmail.com> <54350EDD.3060807@gmail.com> <54355F8D.4060002@gmail.com> <54356A38.5050101@gmail.com> In-Reply-To: Content-Type: multipart/alternative; boundary="------------050200050207020702010601" X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] Cannot get certificate chain to work. --------------050200050207020702010601 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit On 10/09/14 03:29, Igor Cicimov wrote: > > > On 09/10/2014 3:46 AM, "dE" > wrote: > > > > On 10/08/14 21:36, Eric Covener wrote: > >> > >> > >> On Wed, Oct 8, 2014 at 12:00 PM, dE > wrote: > >>> > >>> intermediate.pem must get installed automatically in the browsers > (at least in FF), but instead these browsers don't see the certificate. > >> > >> > >> No, servers are expected to transmit the intermediate certificates. > >> > > > > Yes, they get installed automatically after it's transmitted by the > server. > > > > Try a fresh FF profile. It'll not have any Microsoft (or MSIT) > certificates. Open Microsoft.com and you'll get a bunch of Microsoft > certificates installed in your certificate manager. > > > > Actually the problem is with intermediate.pem. I can't install it in > any of the web browser under the issuer.pem certificate. But openSSL > says it's 'verified'. > > > > This problem is out of scope of Apache. > > Weird. And this happens both in ff and chrome? Would be interesting if > you can test with different (older) versions of ff and chrome might be > the newer ones have some restrictions in terms of signatures or > something. May I ask how did you generate the certificates? From what > you sent I couldn't see anything wrong with them though but will have > another look. > That said the browsers behave as expected with all ca authority signed > certificates I've been using. > Yes both FF and Chrome. BUT this works for KDE certificate management. This's how they were generated -- openssl genpkey -out issuer.key -algorithm rsa openssl genpkey -out intermediate.key -algorithm rsa openssl genpkey -out server.key -algorithm rsa openssl req -new -key issuer.key -out issuer.csr openssl req -new -key server.key -out server.csr openssl req -new -key intermediate.key -out intermediate.csr openssl x509 -req -days 365 -in issuer.csr -signkey issuer.key -out issuer.pem openssl x509 -req -days 360 -in intermediate.csr -CA issuer.pem -CAkey issuer.key -CAcreateserial -out intermediate.pem openssl x509 -req -days 360 -in server.csr -CA intermediate.pem -CAkey intermediate.key -CAcreateserial -out server.pem I'll see this with older version. --------------050200050207020702010601 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
On 10/09/14 03:29, Igor Cicimov wrote:


On 09/10/2014 3:46 AM, "dE" <de.techno@gmail.com> wrote:
>
> On 10/08/14 21:36, Eric Covener wrote:
>>
>>
>> On Wed, Oct 8, 2014 at 12:00 PM, dE <de.techno@gmail.com> wrote:
>>>
>>> intermediate.pem must get installed automatically in the browsers (at least in FF), but instead these browsers don't see the certificate.
>>
>>
>> ​No, servers are expected to transmit the intermediate certificates.
>>
>
> Yes, they get installed automatically after it's transmitted by the server.
>
> Try a fresh FF profile. It'll not have any Microsoft (or MSIT) certificates. Open Microsoft.com and you'll get a bunch of Microsoft certificates installed in your certificate manager.
>
> Actually the problem is with intermediate.pem. I can't install it in any of the web browser under the issuer.pem certificate. But openSSL says it's 'verified'.
>
> This problem is out of scope of Apache.

Weird. And this happens both in ff and chrome? Would be interesting if you can test with different (older) versions of ff and chrome might be the newer ones have some restrictions in terms of signatures or something. May I ask how did you generate the certificates? From what you sent I couldn't see anything wrong with them though but will have another look.
That said the browsers behave as expected with all ca authority signed certificates I've been using.


Yes both FF and Chrome. BUT this works for KDE certificate management.

This's how they were generated --

openssl genpkey -out issuer.key -algorithm rsa
openssl genpkey -out intermediate.key -algorithm rsa
openssl genpkey -out server.key -algorithm rsa
openssl req -new -key issuer.key -out issuer.csr
openssl req -new -key server.key -out server.csr
openssl req -new -key intermediate.key -out intermediate.csr
openssl x509 -req -days 365 -in issuer.csr -signkey issuer.key -out issuer.pem
openssl x509 -req -days 360 -in intermediate.csr -CA issuer.pem -CAkey issuer.key -CAcreateserial -out intermediate.pem
openssl x509 -req -days 360 -in server.csr -CA intermediate.pem -CAkey intermediate.key -CAcreateserial -out server.pem

I'll see this with older version.
--------------050200050207020702010601--