OT: SSL certificate chain problems

Victor Duchovni Victor.Duchovni at MorganStanley.com
Wed Jan 24 17:37:41 EST 2007

On Tue, Jan 23, 2007 at 08:47:26PM -0600, Travis H. wrote:

> This is not really typical of the traffic on this list, hence the OT.

It is much more typical of openssl-users, which is probably a better
bet for this question.

> Recently I had an issue where Google checkout would not accept an
> SSL certificate because Apache didn't present the entire hierarchy,
> just the site certificate itself.  The CA was Thawte.  What Google
> said was that many browsers supply missing certs as needed, but
> apparently their software did not.

Generally it is enough for a TLS server or client to present its own
certificate and all *intermediate* CA certificates, sending the root CA
cert is optional, because if the verifying system trusts the root CA in
question, it has a local copy of that root CA cert. There be limitations
in some verifier implementations that make it necessary to supply the
root CA cert anyway.


> The fix would seem to be easy; just put the right CA root cert in the
> SSLCACertFile directive.

No you concatenate multiple certificates (server first, then issuer,
then issuer's issuer, ...) into a single file and set that as the Server
Cert file, not the CA file.

Please take any further questions to openssl-users at openssl.org (via
majordomo at openssl.org).


 /"\ ASCII RIBBON                  NOTICE: If received in error,
 \ / CAMPAIGN     Victor Duchovni  please destroy and notify
  X AGAINST       IT Security,     sender. Sender does not waive
 / \ HTML MAIL    Morgan Stanley   confidentiality or privilege,
                                   and use is prohibited.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list