OT: SSL certificate chain problems
Massimiliano Pala
pala at cs.dartmouth.edu
Wed Jan 24 17:08:46 EST 2007
Hi,
you should provide the whole chain starting from the CA that issued the server
cert. Be careful, though, because you should *NOT* provide the root cert
in the chain as well.
Moreover you should use the:
SSLCertificateChainFile
not the SSLCACertificateFile (which is for client auth).
Cheers,
Max.
Travis H. wrote:
> Hi,
>
> This is not really typical of the traffic on this list, hence the OT.
>
> I send it because I think this is one of the few places where I'll
> find some people with deep understanding of SSL certs.
>
> Recently I had an issue where Google checkout would not accept an
> SSL certificate because Apache didn't present the entire hierarchy,
> just the site certificate itself. The CA was Thawte. What Google
> said was that many browsers supply missing certs as needed, but
> apparently their software did not.
>
> The fix would seem to be easy; just put the right CA root cert in the
> SSLCACertFile directive. or point to the directory with SSLCACertPath.
> However, I've tried over and over with various root CA certs
> downloaded from Thawte, and with one intermediate CA cert, and various
> combinations thereof, but with no sucess.
--
Best Regards,
Massimiliano Pala
--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] pala at cs.dartmouth.edu
project.manager at openca.org
Dartmouth Computer Science Dept Home Phone: +1 (603) 397-3883
PKI/Trust - Office 063 Work Phone: +1 (603) 646-9179
--o------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3088 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20070124/c9ee0553/attachment.bin>
More information about the cryptography
mailing list