----- "Ray Van Dolson" <rvandolson@xxxxxxxx> wrote: > I just updated a Verisign certificate for one of our sites, and > noticed > Firefox was complaining that it wasn't valid. This usually happens > when Verisign's released a new intermediate certificate, and I > typically just install the new one and point to it using > SSLCACertificateFile. > > This time around, that didn't work. > > I RTFM and it seemed that SSLCACertificateFile had nothing at all to > do > with intermediate certs, and everything to do with client > authentication, and that I _should_ be using SSLCertificateChainFile. > Several posts[1][2] I stumbled across seemed to confirm this as well. > I made the change in configuration directive, and sure enough, > everything began working. A couple of minutes of searching: revealed: https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR212&actp=LIST&viewlocale=en_US and https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR193 > Upon checking, I realized I have several other sites using > SSLCACertificateFile to point to an (older) intermediate cert file > from > verisign. I'm curious why this works when it appears to be the wrong > configuration directive for the job, but doesn't with the new > intermediate cert file? I suggest you test with openssl s_client -connect example.com:443 -showcerts -verify 1 That shoul help you understand what's going on. > [ One wrinkle is that with the newest intermediate cert from > Verisign, > they are actually providing a primary and secondary cert instead of > just one. ] > > Using Apache 2.2.x. > > Thanks, > Ray > > [1] http://httpd.markmail.org/thread/ip4oqm2ugbdhkdjx > [2] http://httpd.markmail.org/thread/6bxoeyaykx4fvcp7 -- Igor GaliÄ Tel: +43 (0) 664 886 22 883 Mail: i.galic@xxxxxxxxxxxxxx URL: http://brainsware.org/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx