Re: Cannot get certificate chain to work.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: Re: Cannot get certificate chain to work.
From: dE <de.techno@xxxxxxxxx>
Date: Thu, 09 Oct 2014 10:41:52 +0530
In-reply-to: <CAAKASGzd+eM5P_qBno+FeaKf1tUPOxJhg5z0VDhEU-8=YJNwBA@mail.gmail.com>
Reply-to: users@xxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.8.0

On 10/09/14 03:29, Igor Cicimov wrote:

On 09/10/2014 3:46 AM, "dE" <de.techno@xxxxxxxxx> wrote:
>
> On 10/08/14 21:36, Eric Covener wrote:
>>
>>
>> On Wed, Oct 8, 2014 at 12:00 PM, dE <de.techno@xxxxxxxxx> wrote:
>>>
>>> intermediate.pem must get installed automatically in the browsers (at least in FF), but instead these browsers don't see the certificate.
>>
>>
>> No, servers are expected to transmit the intermediate certificates.
>>
>
> Yes, they get installed automatically after it's transmitted by the server.
>
> Try a fresh FF profile. It'll not have any Microsoft (or MSIT) certificates. Open Microsoft.com and you'll get a bunch of Microsoft certificates installed in your certificate manager.
>
> Actually the problem is with intermediate.pem. I can't install it in any of the web browser under the issuer.pem certificate. But openSSL says it's 'verified'.
>
> This problem is out of scope of Apache.

Weird. And this happens both in ff and chrome? Would be interesting if you can test with different (older) versions of ff and chrome might be the newer ones have some restrictions in terms of signatures or something. May I ask how did you generate the certificates? From what you sent I couldn't see anything wrong with them though but will have another look.
That said the browsers behave as expected with all ca authority signed certificates I've been using.

Yes both FF and Chrome. BUT this works for KDE certificate management.

This's how they were generated --

openssl genpkey -out issuer.key -algorithm rsa
openssl genpkey -out intermediate.key -algorithm rsa
openssl genpkey -out server.key -algorithm rsa
openssl req -new -key issuer.key -out issuer.csr
openssl req -new -key server.key -out server.csr
openssl req -new -key intermediate.key -out intermediate.csr
openssl x509 -req -days 365 -in issuer.csr -signkey issuer.key -out issuer.pem
openssl x509 -req -days 360 -in intermediate.csr -CA issuer.pem -CAkey issuer.key -CAcreateserial -out intermediate.pem
openssl x509 -req -days 360 -in server.csr -CA intermediate.pem -CAkey intermediate.key -CAcreateserial -out server.pem

I'll see this with older version.

References:
- Cannot get certificate chain to work.
  - From: dE
- Re: Cannot get certificate chain to work.
  - From: Igor Cicimov
- Re: Cannot get certificate chain to work.
  - From: dE
- Re: Cannot get certificate chain to work.
  - From: Igor Cicimov
- Re: Cannot get certificate chain to work.
  - From: dE
- Re: Cannot get certificate chain to work.
  - From: Igor Cicimov
- Re: Cannot get certificate chain to work.
  - From: dE
- Re: Cannot get certificate chain to work.
  - From: Igor Cicimov
- Re: Cannot get certificate chain to work.
  - From: dE
- Re: Cannot get certificate chain to work.
  - From: Igor Cicimov
- Re: Cannot get certificate chain to work.
  - From: dE
- Re: Cannot get certificate chain to work.
  - From: Eric Covener
- Re: Cannot get certificate chain to work.
  - From: dE
- Re: Cannot get certificate chain to work.
  - From: Igor Cicimov

Prev by Date: Re: Too many vhosts?!?!
Next by Date: Memory allocation request exceeded 65,000 bytes
Previous by thread: Re: Cannot get certificate chain to work.
Next by thread: Re: Cannot get certificate chain to work.
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]