On 10/10/14 19:00, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 dE, On 10/10/14 6:30 AM, dE wrote:On 10/09/14 23:47, Christopher Schultz wrote: De, On 10/7/14 11:27 PM, dE wrote:$ openssl x509 -noout -in server.pem -text Certificate: Data: Version: 1 (0x0) Serial Number: 13192573755114198537 (0xb7156feedab91609) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=Some-State, O=intermediate, CN=intermediate Validity Not Before: Oct 7 08:43:42 2014 GMT Not After : Oct 2 08:43:42 2015 GMT Subject: C=AU, ST=Some-State, O=server, OU=IT, CN=server Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit)1024-bit keys? Perhaps the browsers are smart enough not to trust those.$ openssl x509 -noout -in intermediate.pem -text Certificate: Data: Version: 1 (0x0) Serial Number: 11894061023072807904 (0xa510317ba912ebe0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer Validity Not Before: Oct 7 08:42:05 2014 GMT Not After : Oct 2 08:42:05 2015 GMT Subject: C=AU, ST=Some-State, O=intermediate, CN=intermediate Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit)Hmm.$ openssl x509 -noout -in issuer.pem -text Certificate: Data: Version: 1 (0x0) Serial Number: 18284349327322698662 (0xfdbf0ed6ac38d3a6) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer Validity Not Before: Oct 7 08:40:29 2014 GMT Not After : Oct 7 08:40:29 2015 GMT Subject: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit)Maybe try again with 2048-bit keys or better? -chris---------------------------------------------------------------------To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxxFor additional commands, e-mail: users-help@xxxxxxxxxxxxxxxxYeah, I'll try 4096. That's the standard. But it did work when only intermediate.pem was sent by the server and issuer.pem was installed in the browser.You might want to check using SSL Labs' server scanner. It will tell you exactly what the server is sending, whether they are in the right order, at what level they are trusted, and give you advice about how to improve the configuration. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUN991AAoJEBzwKT+lPKRY9hYQAJ7tNxFSnI6KtRk2XdjCceQI tT6HFp3dxUk+JPffjAmJGamYGhMD5E11IsqLa+GT25u+ULsRfoV7ovVcOiQtvC1E HdKpDxeN4VUVzESRWPeBE+SdATRwpu2fJsSQ9bLfFS6Mw9Cj0GJMp9wRRWAhxz+/ TyIhxRsTruc6Y8e2r+/M+p/QaO49/FknJpISb9m/xoKqaVg6eiMxfnDBJeJ63p0T u7j2wOuQDvZlW7nSRUnp4M/Z3NbIwdJAlxDnZ4d9S8tvTLESQaJpoFxhsutOdK/X 82pIPbsoZeP5CvBuZ/f3iISrVqEkYh9uJCawj+tdniYrrsXnOKL5diE2SMrzXmXD ecL+YhNedFzQp+MHVtNgHtK/ZEc35/HmnEp9qDQP3O9KmEh8y4m/qFchRP1a5EzL KYhS7VpV1cagmvh6vg1+3GoJcGSshdKEgQYSYQnK6KuaD+A/EZvio1eeXvdF/EWx 2M/8PsEi13vpf5Ev5RmfDF8ma6yO7QhXAzTCcFpGNqRD4J1mjkUxCtfkG+JydlQc TbDRpVFmKeo5NTZAIoIZ8br2F9RMSdV8prVOytt0Yfd+cpFZyCTr+bfq9U+rkS1p REuUrQvWGMlOPvr35KHXqjKmu78K0bxCapGqmzxrx2LRcHb5tnkM9CLSVvjTnfWI 9Xufi+4JpiEBBO43tmSX =seHs -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
I tried 4096 with the same problem openssl verify -CAfile issuer.pem intermediate.pem intermediate.pem: OKintermediate.pem does not import. First I've to try to get them imported before putting them on the server. Otherwise it's pointless (it'll always fail).
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|