Chained SSL Certificates ?
- Thread starter ktippetts
- Start date
Hi.
I have a question regarding the chained certificates, and perhaps an issue to report.
I have 3 files in total, the server certificate, the server key, and the certificate authority certificate. Apache has a setting named "SSLCertificateChainFile" that allows to specify a path to the CA certificate, but lshttpd allows only to set the "Chained Certificate" to Yes. The question is, how lshttpd manages to chain the certificates, without the path to the chain certificate?
Now the issue, is related to the question I believe. Sometimes, I'm getting a warning "The certificate is expired or not valid yet", and when I'm checking in the "certification path", I can see that the middle certificate (there are 3), is noted by an X. When I view his details, I can see that it is valud from 1997-2004 - a year ago. A refresh of the page resolves the matter, but it eventually repeats.
I'm using LSHTTP 2.1RC2, and Verisign SSL certificates.
Thank!
I have a question regarding the chained certificates, and perhaps an issue to report.
I have 3 files in total, the server certificate, the server key, and the certificate authority certificate. Apache has a setting named "SSLCertificateChainFile" that allows to specify a path to the CA certificate, but lshttpd allows only to set the "Chained Certificate" to Yes. The question is, how lshttpd manages to chain the certificates, without the path to the chain certificate?
Now the issue, is related to the question I believe. Sometimes, I'm getting a warning "The certificate is expired or not valid yet", and when I'm checking in the "certification path", I can see that the middle certificate (there are 3), is noted by an X. When I view his details, I can see that it is valud from 1997-2004 - a year ago. A refresh of the page resolves the matter, but it eventually repeats.
I'm using LSHTTP 2.1RC2, and Verisign SSL certificates.
Thank!
We use SSL_CTX_use_certificate_chain_file() function in openssl to load the chained certificate. below is the descript of this function from openssl document.
So, I think you need to merge your server certificate with the CA certificates to one file if you had not done so yet.
SSL_CTX_use_certificate_chain_file() loads a certificate chain from file into ctx. The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA. There is no corresponding function working on a single SSL object.