On 03/27/2014 12:37 PM, Rob Stradling wrote: > On 26/03/14 16:46, Daniel Kahn Gillmor wrote: > <snip> >> it doesn't even need to fetch the certificate itself, it could just make >> the big noisy error log say "you should fetch the cert from <AIAURL> and >> append it to <SSLCertificateChainFile>" > > <AIAURL> is supposed to be DER-encoded rather than Base64-encoded, so > the user would need to convert it using "openssl x509 -inform der -out" > before appending it to <SSLCertificateChainFile>. > > <AIAURL> is sometimes a PKCS#7 "certs only" bundle of multiple certs, > all issued to the same Subject CA. The certs can be extracted using > "openssl pkcs7 -inform der -print_certs", but which one of those certs > (if any) should the user append to <SSLCertificateChainFile> ?
hm, that doesn't sound very user-friendly.
Do we have a robust, free tool that, given a single X.509 EE cert, can
do automagic fetching and trying of all combinations of these things and
produce a reasonable PEM-encoded SSLCertificateChainFile on stdout?
If we had such a tool, then the detection code in mod_ssl could just
encourage people to run that tool.
--dkg
signature.asc
Description: OpenPGP digital signature
