Support

ktippetts · #1 07-10-2005, 12:04 PM

I have looked through the docs and searched the forum and there doesn't seem to be any documentation on configuring Chained SSL Certificates. I have tried adding the chain cert and my cert together in the same file to no avail. This is on 2.1RC1

mistwang · #2 07-11-2005, 11:39 AM

Thank you for your feedback.

Chained Certificate support has been added to 2.1RC2, it will be released soon.

George Wang

mistwang · #3 07-26-2005, 10:01 AM

Chained Certificate should be supported by 2.1RC2 now, please try.

ktippetts · #4 07-26-2005, 09:12 PM

This works great, thank you!

SyNeo · #5 08-24-2005, 05:50 PM

Hi.

I have a question regarding the chained certificates, and perhaps an issue to report.

I have 3 files in total, the server certificate, the server key, and the certificate authority certificate. Apache has a setting named "SSLCertificateChainFile" that allows to specify a path to the CA certificate, but lshttpd allows only to set the "Chained Certificate" to Yes. The question is, how lshttpd manages to chain the certificates, without the path to the chain certificate?

Now the issue, is related to the question I believe. Sometimes, I'm getting a warning "The certificate is expired or not valid yet", and when I'm checking in the "certification path", I can see that the middle certificate (there are 3), is noted by an X. When I view his details, I can see that it is valud from 1997-2004 - a year ago. A refresh of the page resolves the matter, but it eventually repeats.

I'm using LSHTTP 2.1RC2, and Verisign SSL certificates.

Thank!

mistwang · #6 08-24-2005, 08:17 PM

We use SSL_CTX_use_certificate_chain_file() function in openssl to load the chained certificate. below is the descript of this function from openssl document.

Quote:

SSL_CTX_use_certificate_chain_file() loads a certificate chain from file into ctx. The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA. There is no corresponding function working on a single SSL object.

So, I think you need to merge your server certificate with the CA certificates to one file if you had not done so yet.

SyNeo · #7 08-25-2005, 02:19 AM

Hi.

Thanks for the explanation!

It was a simple matter of "cat server.crt ca.crt > chained.crt".