Re: Proper way to reference intermediate certificates in Apache 2.2.x

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

----- "Ray Van Dolson" <rvandolson@xxxxxxxx> wrote:

> I just updated a Verisign certificate for one of our sites, and
> noticed
> Firefox was complaining that it wasn't valid.  This usually happens
> when Verisign's released a new intermediate certificate, and I
> typically just install the new one and point to it using
> SSLCACertificateFile.
> 
> This time around, that didn't work.
> 
> I RTFM and it seemed that SSLCACertificateFile had nothing at all to
> do
> with intermediate certs, and everything to do with client
> authentication, and that I _should_ be using SSLCertificateChainFile.
> Several posts[1][2] I stumbled across seemed to confirm this as well.
> I made the change in configuration directive, and sure enough,
> everything began working.

A couple of minutes of searching: revealed:
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR212&actp=LIST&viewlocale=en_US
and
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR193



> Upon checking, I realized I have several other sites using
> SSLCACertificateFile to point to an (older) intermediate cert file
> from
> verisign.  I'm curious why this works when it appears to be the wrong
> configuration directive for the job, but doesn't with the new
> intermediate cert file?

I suggest you test with 
openssl s_client -connect example.com:443 -showcerts -verify 1

That shoul help you understand what's going on.

> [ One wrinkle is that with the newest intermediate cert from
> Verisign,
>   they are actually providing a primary and secondary cert instead of
>   just one. ]
> 
> Using Apache 2.2.x.
> 
> Thanks,
> Ray
> 
> [1] http://httpd.markmail.org/thread/ip4oqm2ugbdhkdjx
> [2] http://httpd.markmail.org/thread/6bxoeyaykx4fvcp7



-- 
Igor GaliÄ

Tel: +43 (0) 664 886 22 883
Mail: i.galic@xxxxxxxxxxxxxx
URL: http://brainsware.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux