Chained SSL Certificates ?

Discussion in 'Install/Configuration' started by ktippetts, Jul 10, 2005.

  1. ktippetts

    ktippetts New Member

    I have looked through the docs and searched the forum and there doesn't seem to be any documentation on configuring Chained SSL Certificates. I have tried adding the chain cert and my cert together in the same file to no avail. This is on 2.1RC1
  2. mistwang

    mistwang LiteSpeed Staff

    Thank you for your feedback.

    Chained Certificate support has been added to 2.1RC2, it will be released soon.

    George Wang
  3. mistwang

    mistwang LiteSpeed Staff

    Chained Certificate should be supported by 2.1RC2 now, please try.
  4. ktippetts

    ktippetts New Member

    This works great, thank you!
  5. SyNeo

    SyNeo New Member

    Hi.

    I have a question regarding the chained certificates, and perhaps an issue to report.

    I have 3 files in total, the server certificate, the server key, and the certificate authority certificate. Apache has a setting named "SSLCertificateChainFile" that allows to specify a path to the CA certificate, but lshttpd allows only to set the "Chained Certificate" to Yes. The question is, how lshttpd manages to chain the certificates, without the path to the chain certificate?

    Now the issue, is related to the question I believe. Sometimes, I'm getting a warning "The certificate is expired or not valid yet", and when I'm checking in the "certification path", I can see that the middle certificate (there are 3), is noted by an X. When I view his details, I can see that it is valud from 1997-2004 - a year ago. A refresh of the page resolves the matter, but it eventually repeats.

    I'm using LSHTTP 2.1RC2, and Verisign SSL certificates.

    Thank!
  6. mistwang

    mistwang LiteSpeed Staff

    We use SSL_CTX_use_certificate_chain_file() function in openssl to load the chained certificate. below is the descript of this function from openssl document.

    So, I think you need to merge your server certificate with the CA certificates to one file if you had not done so yet.
  7. SyNeo

    SyNeo New Member

    Hi.

    Thanks for the explanation!

    It was a simple matter of "cat server.crt ca.crt > chained.crt".

Share This Page