Intermediate Certificate chaining problem?

I need help solving the following problem

I have recently obtained and installed a secure certificate from VeriSign. However, vistors to my site still get an error message stating that we are using a certificate signed by an untrusted CA. Netscape and Mozilla users are alerted by pop-up while IE users would only notice the error if they explore the certificate by clicking the 'lock' icon.

This is the information provided by "Issuer" under the "Details" tab of "Certificate Information" in IE6/Win98, the same information is provided by Mozilla 1.0.1/RH7.3
OU = www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
OU = VeriSign International Server CA - Class 3
OU = VeriSign, Inc.
O = VeriSign Trust Network

I have installed the certificate and the intermediate certificate per modssl intructions and verified installation with VeriSign instructions but visitors to my site still get an error that the cert has been signed by an untrusted CA. However, the properties of the cert reveal that the issuer is indeed VeriSign Trust Network. VeriSign support has told me that it is an installation error, and that the cert is not "Chaining."

My installation: I received the cert from Verisign as an email attachment and saved the cert to: $APACHE_HOME/conf/ssl.crt/server.crt. I then visited the VeriSign web site copied and pasted the intermediate cert into a text editor (gEdit) and saved the file to $APACHE_HOME/conf/ssl.crt/ca.crt. I updated my conf with the following directives:



....

SSLCertificateFile conf/ssl.crt/server.crt
SSLCertificateKeyFile conf/ssl.key/server.key
SSLCACertificateFile conf/ssl.crt/ca.crt

SSLProtocol -all +SSLv2
SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP



Apache was then restarted $APACHE_HOME/bin/apachectl stop $APACHE_HOME/bin/apachectl startssl. I have even tried recompling Apache and used `make certifcate TYPE=existing`

I am using:
RH 7.1
Apache 1.3.27
openssl-0.9.6e
mod_ssl-2.8.12-1.3.27

Has anyone else experienced this or can they point out any errors with my process?

Thanks

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Intermediate Certificate chaining problem?

On Monday 18 November 2002 11:44 am, Evan Dillon wrote:
>
> My installation: I received the cert from Verisign as an email
> attachment and saved the cert to:
> $APACHE_HOME/conf/ssl.crt/server.crt. I then visited the VeriSign
> web site copied and pasted the intermediate cert into a text editor
> (gEdit) and saved the file to $APACHE_HOME/conf/ssl.crt/ca.crt. I
> updated my conf with the following directives:
>
>
>
> ...
>
> SSLCertificateFile conf/ssl.crt/server.crt
> SSLCertificateKeyFile conf/ssl.key/server.key
> SSLCACertificateFile conf/ssl.crt/ca.crt
>
> SSLProtocol -all +SSLv2
> SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP
>
>

Evan,

You didn't say but did you add the SSLCertificateChainFile directive
to point to the intermediate ca.crt?

BTW, 0.9.6e may have security issues, not sure. There are 2 newer
releases.

Regards,
Ed
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Intermediate Certificate chaining problem?

On Monday 18 November 2002 02:59 pm, Ed Loehr wrote:
> > SSLCACertificateFile conf/ssl.crt/ca.crt
>
> You didn't say but did you add the SSLCertificateChainFile
> directive to point to the intermediate ca.crt?
>
> BTW, 0.9.6e may have security issues, not sure. There are 2 newer
> releases.

I'm not sure you need the SSLCACertificateFile directive. The
default may point to a bundle of CA certs provided with the
distribution.

Regards,
Ed
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Intermediate Certificate chaining problem?

This is a MIME message. If you are reading this text, you may want to
consider changing to a mail reader or gateway that understands how to
properly handle MIME multipart messages.

--=_F8A41109.8AEB9D9D
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

I see that I have made a mistake in my configuration and corrected it, =
however now apache won't start in ssl mode: the ssl_engine_log shows the =
error "Failed to configure CA certificate chain!" Any ideas? A search for =
the string "Failed to configure CA certificate chain!" doesn't return much =
that is helpful

I changed

SSLCACertificateFile conf/ssl.crt/ca.crt

to

SSLCertificateChainFile conf/ssl.crt/ca.crt=20

I have also installed the latest version of openssl

However, when starting apache this time around, the ssl_engin_log states:
[18/Nov/2002 16:36:39 09640] [info] Server: Apache/1.3.27, Interface: =
mod_ssl/2.8.12, Library: OpenSSL/0.9.6g
....
[18/Nov/2002 16:36:39 09641] [info] Init: (www.hr.utah.edu:443) RSA =
server certificate enables Server Gated Cryptography (SGC)
[18/Nov/2002 16:36:39 09641] [error] Init: (www.hr.utah.edu:443) Failed to =
configure CA certificate chain!

Thanks

Evan

>>> modssl-users@bluepolka.net 11/18/02 03:05PM >>>
On Monday 18 November 2002 02:59 pm, Ed Loehr wrote:
> > SSLCACertificateFile conf/ssl.crt/ca.crt
>
> You didn't say but did you add the SSLCertificateChainFile
> directive to point to the intermediate ca.crt?
>
> BTW, 0.9.6e may have security issues, not sure. There are 2 newer
> releases.

I'm not sure you need the SSLCACertificateFile directive. The=20
default may point to a bundle of CA certs provided with the=20
distribution.

Regards,
Ed
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

--=_F8A41109.8AEB9D9D
Content-Type: text/html; charset=ISO-8859-1
Content-Description: HTML
Content-Transfer-Encoding: quoted-printable



>

2px">