OT: SSL certificate chain problems

Massimiliano Pala pala at cs.dartmouth.edu
Wed Jan 24 17:08:46 EST 2007


you should provide the whole chain starting from the CA that issued the server
cert. Be careful, though, because you should *NOT* provide the root cert
in the chain as well.

Moreover you should use the:


not the SSLCACertificateFile (which is for client auth).


Travis H. wrote:
> Hi,
> This is not really typical of the traffic on this list, hence the OT.
> I send it because I think this is one of the few places where I'll
> find some people with deep understanding of SSL certs.
> Recently I had an issue where Google checkout would not accept an
> SSL certificate because Apache didn't present the entire hierarchy,
> just the site certificate itself.  The CA was Thawte.  What Google
> said was that many browsers supply missing certs as needed, but
> apparently their software did not.
> The fix would seem to be easy; just put the right CA root cert in the
> SSLCACertFile directive. or point to the directory with SSLCACertPath.
> However, I've tried over and over with various root CA certs
> downloaded from Thawte, and with one intermediate CA cert, and various
> combinations thereof, but with no sucess.


Best Regards,

	Massimiliano Pala

Massimiliano Pala [OpenCA Project Manager]            pala at cs.dartmouth.edu
                                                  project.manager at openca.org

Dartmouth Computer Science Dept               Home Phone: +1 (603) 397-3883
PKI/Trust - Office 063                        Work Phone: +1 (603) 646-9179
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3088 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20070124/c9ee0553/attachment.bin>

More information about the cryptography mailing list