> On Dec 18, 2016, at 3:05 PM, Brice André <brice@xxxxxxxxxxxxxxxx> wrote: > > I developped the service a few years ago and got wildcard certificates from Startcom. Due to the recent probems with startcom, I migrated my certificates to COMODO. I also tried to rationalise the number of certificates, and I think several of my problems come from here. Your problem is an incomplete migration. The certificate presented by www.online-rdv.be on port 443 is the StartCom certificate you intended to replace. > For a dedicate web service, I use a server located at https://www.online-rdv.be/v1/.... With my previous certificate, CN of certificate was a wildcard certificate : *.online-rdv.be. Everything worked fine. See below for the presented chain: Certificate: Data: Version: 3 (0x2) Serial Number: 2304556835693556 (0x82ffb738e63f4) Signature Algorithm: sha256WithRSAEncryption Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 2 Primary Intermediate Server CA Validity Not Before: Oct 14 10:40:52 2015 GMT Not After : Oct 14 15:54:25 2017 GMT Subject: C=BE, ST=Hainaut, L=Couillet, O=Brice Andr\xE9, CN=*.online-rdv.be/emailAddress=hostmaster@xxxxxxxxxxxxx Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c7:15:56:aa:b7:13:50:b6:30:af:aa:53:00:d1: 34:ae:d7:c9:62:95:80:f7:70:93:d1:13:16:04:bd: 70:ac:fa:b0:74:0d:ce:c2:1c:e6:96:d0:cd:5d:4d: 59:e7:bb:1d:34:7e:05:b3:60:96:aa:fa:88:4d:75: 61:52:59:f5:ae:58:86:7d:7a:5d:93:c1:f8:dc:be: 86:25:c1:d4:63:60:eb:1d:ab:8a:da:a4:4d:4a:17: 40:ef:02:55:57:2b:53:42:0e:ac:21:7c:13:6c:c4: ed:72:ba:99:8a:63:b3:02:c9:3f:ff:36:d6:a2:81: 95:38:32:ec:ae:c7:fe:75:54:17:82:b5:16:c9:ae: c5:46:05:28:b5:c3:24:76:65:60:dd:21:15:c7:28: b8:ec:a5:d2:15:bf:5d:58:e3:cb:ef:ca:9a:09:54: 31:f1:4d:b7:ae:89:dd:60:a7:8f:1c:d7:06:8d:91: ab:9f:68:36:fa:e9:ba:9c:ff:64:c1:58:9b:d7:de: df:b9:ac:bd:e0:05:08:d1:fb:a1:02:08:01:11:bf: fc:9c:73:7b:b7:7d:ec:0f:0c:bf:73:8b:fc:6e:b1: 56:dd:ca:58:00:d8:80:53:8e:f0:ff:72:70:ae:14: ad:0c:0e:ae:23:9c:1a:a2:dd:11:41:6e:8d:87:f5: 6a:35 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Subject Key Identifier: E5:7E:1E:3D:4C:C1:71:36:3A:FE:F8:D3:E7:E2:5F:A1:7D:8B:42:A3 X509v3 Authority Key Identifier: keyid:11:DB:23:45:FD:54:CC:6A:71:6F:84:8A:03:D7:BE:F7:01:2F:26:86 X509v3 Subject Alternative Name: DNS:*.online-rdv.be, DNS:online-rdv.be, DNS:online-rdv.biz, DNS:*.online-rdv.biz, DNS:online-rdv.com, DNS:*.online-rdv.com, DNS:online-rdv.eu, DNS:*.online-rdv.eu, DNS:online-rdv.info, DNS:*.online-rdv.info, DNS:online-rdv.net, DNS:*.online-rdv.net, DNS:online-rdv.org, DNS:*.online-rdv.org, DNS:rdv-doc.be, DNS:*.rdv-doc.be, DNS:doc-rdv.be, DNS:*.doc-rdv.be X509v3 Certificate Policies: Policy: 2.23.140.1.2.2 Policy: 1.3.6.1.4.1.23223.1.2.3 CPS: http://www.startssl.com/policy.pdf User Notice: Organization: StartCom Certification Authority Number: 1 Explicit Text: This certificate was issued according to the Class 2 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations. X509v3 CRL Distribution Points: Full Name: URI:http://crl.startssl.com/crt2-crl.crl Authority Information Access: OCSP - URI:http://ocsp.startssl.com/sub/class2/server/ca CA Issuers - URI:http://aia.startssl.com/certs/sub.class2.server.ca.crt X509v3 Issuer Alternative Name: URI:http://www.startssl.com/ Signature Algorithm: sha256WithRSAEncryption a9:f2:f6:ea:a8:57:bc:1b:11:51:05:eb:b8:b5:55:0f:96:e6: 08:73:ef:67:92:bf:aa:b0:54:32:48:3e:61:91:73:dd:2d:fd: 2a:e7:2b:57:81:a5:a5:46:17:5b:2d:9a:62:f3:fa:43:11:ba: 48:0f:47:65:19:ca:2b:82:dd:0f:e7:da:2d:1c:99:55:b6:86: 93:b7:58:31:d3:a9:1a:34:ae:b8:5f:65:29:a0:0a:22:49:0f: df:a9:1b:06:b6:ba:9f:b6:4b:58:82:f6:d1:00:2f:a3:3b:4e: f8:51:3c:b9:3b:88:42:f8:9e:c8:02:41:7d:b2:41:d9:f6:d4: d9:97:a8:1c:83:e9:6a:38:05:5a:1e:28:f3:29:ee:6d:b5:50: 3e:24:a2:88:33:62:66:14:6b:1c:37:47:07:d1:79:2c:60:de: 48:49:4e:a9:48:65:05:07:8f:e2:be:0f:13:e2:99:6f:f3:14: ce:22:cb:77:09:8a:fa:c6:29:47:ba:06:58:db:6a:80:15:d2: 99:77:d1:4c:4c:21:7c:f1:d3:8d:62:74:53:d3:39:4d:11:e2: 9b:8e:f2:24:0a:ed:f0:f0:58:61:d0:14:ed:e2:4f:45:4e:9f: 75:ab:b0:4f:79:02:fd:5a:f0:cf:de:ff:b6:9b:83:62:a9:4b: 81:49:74:d9 -----BEGIN CERTIFICATE----- MIIHjzCCBnegAwIBAgIHCC/7c45j9DANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBE aWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENs YXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVyIENBMB4XDTE1MTAxNDEw NDA1MloXDTE3MTAxNDE1NTQyNVowgYsxCzAJBgNVBAYTAkJFMRAwDgYDVQQIEwdI YWluYXV0MREwDwYDVQQHEwhDb3VpbGxldDEUMBIGA1UEChQLQnJpY2UgQW5kcukx GDAWBgNVBAMUDyoub25saW5lLXJkdi5iZTEnMCUGCSqGSIb3DQEJARYYaG9zdG1h c3RlckBvbmxpbmUtcmR2LmJlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAxxVWqrcTULYwr6pTANE0rtfJYpWA93CT0RMWBL1wrPqwdA3OwhzmltDNXU1Z 57sdNH4Fs2CWqvqITXVhUln1rliGfXpdk8H43L6GJcHUY2DrHauK2qRNShdA7wJV VytTQg6sIXwTbMTtcrqZimOzAsk//zbWooGVODLsrsf+dVQXgrUWya7FRgUotcMk dmVg3SEVxyi47KXSFb9dWOPL78qaCVQx8U23rondYKePHNcGjZGrn2g2+um6nP9k wVib197fuay94AUI0fuhAggBEb/8nHN7t33sDwy/c4v8brFW3cpYANiAU47w/3Jw rhStDA6uI5waot0RQW6Nh/VqNQIDAQABo4ID8zCCA+8wCQYDVR0TBAIwADALBgNV HQ8EBAMCA6gwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQW BBTlfh49TMFxNjr++NPn4l+hfYtCozAfBgNVHSMEGDAWgBQR2yNF/VTManFvhIoD 1773AS8mhjCCAS0GA1UdEQSCASQwggEggg8qLm9ubGluZS1yZHYuYmWCDW9ubGlu ZS1yZHYuYmWCDm9ubGluZS1yZHYuYml6ghAqLm9ubGluZS1yZHYuYml6gg5vbmxp bmUtcmR2LmNvbYIQKi5vbmxpbmUtcmR2LmNvbYINb25saW5lLXJkdi5ldYIPKi5v bmxpbmUtcmR2LmV1gg9vbmxpbmUtcmR2LmluZm+CESoub25saW5lLXJkdi5pbmZv gg5vbmxpbmUtcmR2Lm5ldIIQKi5vbmxpbmUtcmR2Lm5ldIIOb25saW5lLXJkdi5v cmeCECoub25saW5lLXJkdi5vcmeCCnJkdi1kb2MuYmWCDCoucmR2LWRvYy5iZYIK ZG9jLXJkdi5iZYIMKi5kb2MtcmR2LmJlMIIBVgYDVR0gBIIBTTCCAUkwCAYGZ4EM AQICMIIBOwYLKwYBBAGBtTcBAgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3 LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMIH3BggrBgEFBQcCAjCB6jAnFiBTdGFy dENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTADAgEBGoG+VGhpcyBjZXJ0aWZp Y2F0ZSB3YXMgaXNzdWVkIGFjY29yZGluZyB0byB0aGUgQ2xhc3MgMiBWYWxpZGF0 aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRDb20gQ0EgcG9saWN5LCByZWxp YW5jZSBvbmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBjb21wbGlhbmNl IG9mIHRoZSByZWx5aW5nIHBhcnR5IG9ibGlnYXRpb25zLjA1BgNVHR8ELjAsMCqg KKAmhiRodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnQyLWNybC5jcmwwgY4GCCsG AQUFBwEBBIGBMH8wOQYIKwYBBQUHMAGGLWh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNv bS9zdWIvY2xhc3MyL3NlcnZlci9jYTBCBggrBgEFBQcwAoY2aHR0cDovL2FpYS5z dGFydHNzbC5jb20vY2VydHMvc3ViLmNsYXNzMi5zZXJ2ZXIuY2EuY3J0MCMGA1Ud EgQcMBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzANBgkqhkiG9w0BAQsFAAOC AQEAqfL26qhXvBsRUQXruLVVD5bmCHPvZ5K/qrBUMkg+YZFz3S39KucrV4GlpUYX Wy2aYvP6QxG6SA9HZRnKK4LdD+faLRyZVbaGk7dYMdOpGjSuuF9lKaAKIkkP36kb Bra6n7ZLWIL20QAvoztO+FE8uTuIQvieyAJBfbJB2fbU2ZeoHIPpajgFWh4o8ynu bbVQPiSiiDNiZhRrHDdHB9F5LGDeSElOqUhlBQeP4r4PE+KZb/MUziLLdwmK+sYp R7oGWNtqgBXSmXfRTEwhfPHTjWJ0U9M5TRHim47yJArt8PBYYdAU7eJPRU6fdauw T3kC/Vrwz97/tpuDYqlLgUl02Q== -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 8069548958653521 (0x1cab36472d9c51) Signature Algorithm: sha256WithRSAEncryption Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority Validity Not Before: Oct 14 20:57:09 2007 GMT Not After : Oct 14 20:57:09 2022 GMT Subject: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 2 Primary Intermediate Server CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e2:4f:39:2f:a1:8c:9a:85:ad:08:0e:08:3e:57: f2:88:01:21:1b:94:a9:6c:e2:b8:db:aa:19:18:46: 3a:52:a1:f5:0f:f4:6e:8c:ea:96:8c:96:87:79:13: 40:51:2f:22:f2:0c:8b:87:0f:65:df:71:74:34:43: 55:b1:35:09:9b:d9:bc:1f:fa:eb:42:d0:97:40:72: b7:43:96:3d:ba:96:9d:5d:50:02:1c:9b:91:8d:9c: c0:ac:d7:bb:2f:17:d7:cb:3e:82:9d:73:eb:07:42: 92:b2:cd:64:b3:74:55:1b:b4:4b:86:21:2c:f7:78: 87:32:e0:16:e4:da:bd:4c:95:ea:a4:0a:7e:b6:0a: 0d:2e:8a:cf:55:ab:c3:e5:dd:41:8a:4e:e6:6f:65: 6c:b2:40:cf:17:5d:b9:c3:6a:0b:27:11:84:77:61: f6:c2:7c:ed:c0:8d:78:14:18:99:81:99:75:63:b7: e8:53:d3:ba:61:e9:0e:fa:a2:30:f3:46:a2:b9:c9: 1f:6c:80:5a:40:ac:27:ed:48:47:33:b0:54:c6:46: 1a:f3:35:61:c1:02:29:90:54:7e:64:4d:c4:30:52: 02:82:d7:df:ce:21:6e:18:91:d7:b8:ab:8c:27:17: b5:f0:a3:01:2f:8e:d2:2e:87:3a:3d:b4:29:67:8a: c4:03 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: 11:DB:23:45:FD:54:CC:6A:71:6F:84:8A:03:D7:BE:F7:01:2F:26:86 X509v3 Authority Key Identifier: keyid:4E:0B:EF:1A:A4:40:5B:A5:17:69:87:30:CA:34:68:43:D0:41:AE:F2 Authority Information Access: OCSP - URI:http://ocsp.startssl.com/ca CA Issuers - URI:http://aia.startssl.com/certs/ca.crt X509v3 CRL Distribution Points: Full Name: URI:http://crl.startssl.com/sfsca.crl X509v3 Certificate Policies: Policy: X509v3 Any Policy CPS: http://www.startssl.com/policy.pdf Signature Algorithm: sha256WithRSAEncryption 52:c9:bd:f3:bd:cb:f9:eb:a2:c4:32:ca:86:72:fc:cf:bf:a7: 30:b5:fd:91:f7:d5:81:e1:21:04:ad:00:4c:ff:e9:8b:27:da: ff:f2:24:cd:fc:1f:0f:7f:d2:d1:e5:81:92:23:78:16:ee:6b: 03:2e:9d:00:48:4f:ae:82:65:2e:87:6f:ee:6a:07:5f:4b:56: 6e:f7:96:46:41:e6:dd:fe:45:b9:62:2a:9a:8a:76:e9:ad:bd: d6:73:b3:bc:31:2b:d0:2c:d5:6c:6b:bc:6a:3a:25:87:a9:a8: a5:0d:d7:85:f1:6c:6c:05:0e:f4:c1:68:cb:bb:2a:81:58:a5: 3e:99:c4:9f:f7:1f:84:8e:a0:7a:d1:4d:db:b8:01:9c:0d:81: 34:ca:82:fe:23:62:4d:3f:6d:a4:52:c0:4c:5e:f2:69:48:b1: f2:df:ac:44:64:69:b0:46:29:c7:ad:f0:f2:c0:9d:68:23:8a: a8:67:71:22:17:be:ce:89:7a:76:be:54:6c:93:5c:8b:f0:1a: 6e:ae:ed:8e:ae:c2:05:ae:13:57:e6:b9:e7:70:c8:33:b8:9e: fd:4a:30:e3:98:d4:13:6b:ee:4e:b9:e6:ec:df:ce:ea:a0:9e: 76:6a:97:aa:ea:df:34:45:42:f5:da:4d:d6:87:76:6d:ff:ce: 69:86:7a:81:5f:db:b2:4f:ce:b0:e0:67:60:39:44:b0:45:10: 85:65:97:12:79:df:d4:97:d8:78:21:0c:84:98:ce:bb:4f:6b: 0f:19:da:85:69:91:41:6c:17:1c:c6:b9:f6:14:ae:f2:a1:80: 7a:e2:e9:95:ef:22:8a:cc:ff:38:db:fc:21:56:ec:80:fd:6d: a2:85:91:29:03:ea:ab:03:bd:2c:60:44:82:00:35:e7:14:6c: 76:3b:40:83:55:d5:5c:df:c7:28:a3:59:d5:89:78:3e:0f:e0: 06:fd:d5:57:8a:24:1c:a7:62:38:1d:85:93:4b:f9:93:7f:f3: 44:fa:63:98:9e:ed:26:89:9d:f6:fe:f8:43:6c:25:ff:07:f9: 12:3c:9e:11:b0:d3:80:ee:ec:ab:3b:0c:a4:72:03:92:14:36: e9:be:e6:8a:3a:91:8b:ad:0c:06:a8:b3:83:82:6f:a9:f5:36: 39:82:23:0c:8e:ea:fd:5c:7e:d3:4b:5c:33:d3:67:48:cf:4e: ee:cb:63:70:61:67:55:eb:bb:dc:9c:0b:7a:43:14:48:49:aa: 79:45:b6:8f:be:2c:90:67:1c:f8:9c:56:92:95:30:30:1e:83: da:5b:5c:ae:55:2d:75:b6:6b:11:38:c9:51:44:db:db:68:0c: 48:53:85:3a:ed:86:99:4b -----BEGIN CERTIFICATE----- MIIF2TCCA8GgAwIBAgIHHKs2Ry2cUTANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQG EwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp Z2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2Vy dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDcxMDE0MjA1NzA5WhcNMjIxMDE0MjA1 NzA5WjCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzAp BgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV BAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVy IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4k85L6GMmoWtCA4I PlfyiAEhG5SpbOK426oZGEY6UqH1D/RujOqWjJaHeRNAUS8i8gyLhw9l33F0NENV sTUJm9m8H/rrQtCXQHK3Q5Y9upadXVACHJuRjZzArNe7LxfXyz6CnXPrB0KSss1k s3RVG7RLhiEs93iHMuAW5Nq9TJXqpAp+tgoNLorPVavD5d1Bik7mb2VsskDPF125 w2oLJxGEd2H2wnztwI14FBiZgZl1Y7foU9O6YekO+qIw80aiuckfbIBaQKwn7UhH M7BUxkYa8zVhwQIpkFR+ZE3EMFICgtffziFuGJHXuKuMJxe18KMBL47SLoc6PbQp Z4rEAwIDAQABo4IBTDCCAUgwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E BAMCAQYwHQYDVR0OBBYEFBHbI0X9VMxqcW+EigPXvvcBLyaGMB8GA1UdIwQYMBaA FE4L7xqkQFulF2mHMMo0aEPQQa7yMGkGCCsGAQUFBwEBBF0wWzAnBggrBgEFBQcw AYYbaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL2NhMDAGCCsGAQUFBzAChiRodHRw Oi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9jYS5jcnQwMgYDVR0fBCswKTAnoCWg I4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMEMGA1UdIAQ8MDow OAYEVR0gADAwMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9w b2xpY3kucGRmMA0GCSqGSIb3DQEBCwUAA4ICAQBSyb3zvcv566LEMsqGcvzPv6cw tf2R99WB4SEErQBM/+mLJ9r/8iTN/B8Pf9LR5YGSI3gW7msDLp0ASE+ugmUuh2/u agdfS1Zu95ZGQebd/kW5Yiqainbprb3Wc7O8MSvQLNVsa7xqOiWHqailDdeF8Wxs BQ70wWjLuyqBWKU+mcSf9x+EjqB60U3buAGcDYE0yoL+I2JNP22kUsBMXvJpSLHy 36xEZGmwRinHrfDywJ1oI4qoZ3EiF77OiXp2vlRsk1yL8Bpuru2OrsIFrhNX5rnn cMgzuJ79SjDjmNQTa+5Ouebs387qoJ52apeq6t80RUL12k3Wh3Zt/85phnqBX9uy T86w4GdgOUSwRRCFZZcSed/Ul9h4IQyEmM67T2sPGdqFaZFBbBccxrn2FK7yoYB6 4umV7yKKzP842/whVuyA/W2ihZEpA+qrA70sYESCADXnFGx2O0CDVdVc38coo1nV iXg+D+AG/dVXiiQcp2I4HYWTS/mTf/NE+mOYnu0miZ32/vhDbCX/B/kSPJ4RsNOA 7uyrOwykcgOSFDbpvuaKOpGLrQwGqLODgm+p9TY5giMMjur9XH7TS1wz02dIz07u y2NwYWdV67vcnAt6QxRISap5RbaPviyQZxz4nFaSlTAwHoPaW1yuVS11tmsROMlR RNvbaAxIU4U67YaZSw== -----END CERTIFICATE----- -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users