OT: SSL certificate chain problems
Victor Duchovni
Victor.Duchovni at MorganStanley.com
Wed Jan 24 17:37:41 EST 2007
On Tue, Jan 23, 2007 at 08:47:26PM -0600, Travis H. wrote:
> This is not really typical of the traffic on this list, hence the OT.
It is much more typical of openssl-users, which is probably a better
bet for this question.
> Recently I had an issue where Google checkout would not accept an
> SSL certificate because Apache didn't present the entire hierarchy,
> just the site certificate itself. The CA was Thawte. What Google
> said was that many browsers supply missing certs as needed, but
> apparently their software did not.
Generally it is enough for a TLS server or client to present its own
certificate and all *intermediate* CA certificates, sending the root CA
cert is optional, because if the verifying system trusts the root CA in
question, it has a local copy of that root CA cert. There be limitations
in some verifier implementations that make it necessary to supply the
root CA cert anyway.
http://www.postfix.org/TLS_README.html#server_cert_key
> The fix would seem to be easy; just put the right CA root cert in the
> SSLCACertFile directive.
No you concatenate multiple certificates (server first, then issuer,
then issuer's issuer, ...) into a single file and set that as the Server
Cert file, not the CA file.
Please take any further questions to openssl-users at openssl.org (via
majordomo at openssl.org).
--
/"\ ASCII RIBBON NOTICE: If received in error,
\ / CAMPAIGN Victor Duchovni please destroy and notify
X AGAINST IT Security, sender. Sender does not waive
/ \ HTML MAIL Morgan Stanley confidentiality or privilege,
and use is prohibited.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list