$ openssl x509 -noout -in server.pem -textOn 10/08/14 05:18, Igor Cicimov wrote:
On Wed, Oct 8, 2014 at 1:59 AM, dE <de.techno@xxxxxxxxx> wrote:Hmm in that case you have something mixed up or simply this can not work for self signed certificates since this is exactly what I'm using on Apache 2.2.24/26 on all our company web sites: a certificate signed by CA authority and a chain certificate file where the authorities CA and Intermediate certs have been concatenated.
Tried this on Apache 2.2 (SSLCertificateChainFile does not work with 2.4) with the same issue.On 10/07/14 18:12, Igor Cicimov wrote:
On Tue, Oct 7, 2014 at 2:51 AM, dE <de.techno@xxxxxxxxx> wrote:
Hi.
I'm in a situation where I got 3 certificates
server.pem -- the end user certificate which's sent by the server to the client.
intermediate.pem -- server.pem is signed by intermediate.pem's private key.
issuer.pem -- intermediate.pem is signed by issuer.pem's private key.
combined.pem is created by --
cat server.pem intermediate.pem > combined.pem
Issuer.pem is installed in the web browser.
The chain is working, I can verify this via the SSL command --
cat intermediate.pem issuer.pem > cert_bundle.pem
openssl verify -CAfile cert_bundle.pem server.pem
server.pem: OK
However the browsers (FF, Chrome, Konqueror and wget) fail authentication, claiming there are no certificates to verity server.pem's signature.
I'm using Apache 2.4.10 with the following --
SSLCertificateFile /tmp/combined.pem
SSLCertificateKeyFile /tmp/server.key
Try this:
$ cat issuer.pem intermediate.pem > CA_chain.pem
SSLCertificateFile server.pem
SSLCertificateKeyFile server.key
SSLCertificateChainFile CA_chain.pem
Can you show us the output of:
openssl x509 -noout -in cert.pem -text
for all your sertificates?
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 13192573755114198537 (0xb7156feedab91609)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=intermediate, CN=intermediate
Validity
Not Before: Oct 7 08:43:42 2014 GMT
Not After : Oct 2 08:43:42 2015 GMT
Subject: C=AU, ST=Some-State, O=server, OU=IT, CN=server
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:95:d3:1c:b7:ac:49:cc:38:2c:47:68:a2:b2:18:
6d:76:80:3c:9d:a2:03:cc:4b:df:c0:6e:81:3f:7a:
81:be:e1:38:34:5f:e0:1b:4e:e2:dc:a5:c6:d9:bb:
b0:86:3b:98:3d:e7:03:42:c7:a4:cb:05:f0:96:80:
e6:13:4e:bd:4f:e4:73:ea:72:7c:0c:90:23:7a:5e:
7a:46:7d:e7:64:3c:1d:54:7a:e6:d9:87:9d:e3:f8:
44:9c:df:08:64:d7:1d:a1:50:c3:fd:aa:9d:1b:84:
3e:cd:1d:b9:81:ba:70:6a:95:c7:63:ab:1b:7b:1f:
26:3f:36:cc:29:f0:69:2b:79
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
4e:52:95:01:48:0f:c7:bd:51:6e:e6:9e:f6:3c:b4:16:10:a6:
b5:75:2e:b2:49:bc:e7:50:46:d5:97:f1:e8:ed:b7:1d:b8:1a:
33:2f:a3:7e:ca:41:1a:2a:74:4a:a3:81:04:99:c2:c8:76:ea:
a6:91:8f:21:92:4c:62:ad:0c:57:43:73:b5:3c:0d:6c:82:cb:
c1:c0:74:d8:ad:cb:12:1f:2f:9a:49:45:5a:06:05:fe:9a:13:
b9:d3:e1:17:e6:67:88:18:fd:dc:c5:67:9a:94:9b:41:cf:0c:
ca:88:4f:b5:fe:7e:e2:1e:61:db:4f:e1:bc:dc:f0:07:ad:1c:
7c:fe
$ openssl x509 -noout -in intermediate.pem -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 11894061023072807904 (0xa510317ba912ebe0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
Validity
Not Before: Oct 7 08:42:05 2014 GMT
Not After : Oct 2 08:42:05 2015 GMT
Subject: C=AU, ST=Some-State, O=intermediate, CN=intermediate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:b6:52:95:bf:09:25:1b:dc:28:d9:b1:a8:24:f8:
f5:fb:f6:11:3e:22:74:f4:58:d1:dd:e3:4c:be:9a:
df:dc:e6:3a:6d:50:75:0f:87:6c:b9:f6:8a:cb:c6:
2d:df:2c:22:bf:17:f1:bd:94:78:8c:e4:ef:b3:82:
df:23:00:30:07:d7:59:9b:44:9b:2a:77:5f:85:40:
14:df:2f:89:66:7a:d5:e4:5a:d7:82:0c:bd:7c:6d:
78:36:c6:d9:8e:c1:31:24:44:35:9b:9d:47:50:69:
f2:d4:1b:5a:53:a5:e5:0e:d6:fc:ed:0e:60:15:b9:
3a:fd:f3:d1:f0:27:49:f4:c3
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
0c:5d:ce:59:75:d2:1a:cb:0c:2a:04:c3:73:3e:4a:42:d5:2d:
0f:84:5e:38:2c:5f:51:43:3a:ff:6e:17:b6:b1:3b:93:01:29:
5b:28:4f:a7:ac:51:e4:22:8e:31:72:f4:89:cc:3a:37:2a:95:
dc:11:96:70:28:c7:31:25:9e:6e:7f:ce:67:e4:3d:06:6a:de:
96:df:33:32:e9:98:02:1a:a5:c6:b4:55:dc:2f:4a:2a:44:ec:
51:59:0c:a1:92:dd:83:1d:ad:2b:4f:63:a4:68:4a:7f:f6:8c:
8e:44:01:d6:60:95:8a:f1:dc:d4:7f:81:bc:36:12:15:5b:78:
57:8d
$ openssl x509 -noout -in issuer.pem -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 18284349327322698662 (0xfdbf0ed6ac38d3a6)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
Validity
Not Before: Oct 7 08:40:29 2014 GMT
Not After : Oct 7 08:40:29 2015 GMT
Subject: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:bc:b7:71:69:93:a3:17:ed:29:e3:c6:32:ac:18:
7d:ec:ea:88:0b:51:ef:4b:0e:16:7b:77:a8:cf:e2:
72:4b:0c:94:e7:08:17:9f:a0:22:2c:ac:cb:0b:89:
26:04:59:75:46:c2:56:b6:81:b5:1c:26:f1:eb:8d:
af:17:08:25:14:72:2b:b0:91:f6:12:7f:a4:9f:41:
e0:44:1a:1f:00:60:e2:35:e5:d8:39:4c:1f:3d:97:
d5:76:4d:cf:70:c8:34:fd:06:06:6e:88:34:eb:49:
af:b9:96:71:89:c4:9b:f4:14:f5:91:32:23:67:b9:
05:d0:5c:50:0f:8f:3f:c4:d5
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
3f:c6:9c:5d:28:43:3d:8a:9c:8c:24:96:19:ec:66:97:59:a9:
70:79:c9:60:59:36:47:66:22:1a:cb:6e:8e:ac:dd:97:42:5c:
96:30:40:77:60:49:3c:07:0d:02:b2:96:c6:8d:1f:ee:62:38:
82:3c:ec:f4:d1:b2:4c:16:5e:84:fc:c8:ab:c6:b1:ac:99:82:
9a:be:3f:e4:b9:58:fd:8b:fd:9f:1e:fb:9f:39:05:11:1e:62:
f2:08:e9:ed:c5:dc:b3:ef:71:38:fa:1d:a7:9d:2d:96:c5:c9:
40:b1:cb:30:45:2f:f4:80:5b:23:0a:bf:b5:a3:5a:b4:4f:4a:
68:bf