Re: Cannot get certificate chain to work.

[dE <de.techno@xxxxxxxxx>]

On 10/07/14 22:42, Daniel wrote:

SSLCertificateChainFile is deprecated in 2.4 in favour of SSLCaCertificateFile

2014-10-07 16:59 GMT+02:00 dE <de.techno@xxxxxxxxx>:

On 10/07/14 18:12, Igor Cicimov wrote:

On Tue, Oct 7, 2014 at 2:51 AM, dE <de.techno@xxxxxxxxx> wrote:

Hi.

I'm in a situation where I got 3 certificates

server.pem -- the end user certificate which's sent by the server to the client.
intermediate.pem -- server.pem is signed by intermediate.pem's private key.
issuer.pem -- intermediate.pem is signed by issuer.pem's private key.

combined.pem is created by --

cat server.pem intermediate.pem > combined.pem

Issuer.pem is installed in the web browser.

The chain is working, I can verify this via the SSL command --

cat intermediate.pem issuer.pem > cert_bundle.pem
openssl verify -CAfile cert_bundle.pem server.pem
server.pem: OK

However the browsers (FF, Chrome, Konqueror and wget) fail authentication, claiming there are no certificates to verity server.pem's signature.

I'm using Apache 2.4.10 with the following --

SSLCertificateFile /tmp/combined.pem
SSLCertificateKeyFile /tmp/server.key

Try this:

$ cat issuer.pem intermediate.pem > CA_chain.pem

  SSLCertificateFile server.pem
  SSLCertificateKeyFile server.key
  SSLCertificateChainFile CA_chain.pem

Tried this on Apache 2.2 (SSLCertificateChainFile does not work with 2.4) with the same issue.

No, you can see it here --

http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatechainfile

when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.