On Tue, Sep 13, 2016 at 03:57:33AM -0400, Ian Sutton wrote:
> On Tue, Sep 13, 2016 at 09:50:43AM +0200, Robert Klein wrote:
> > Did you try to /append/ the intermediate certificate(s) to the server
> > certificate? That worked for me on OpenBSD 6.0's httpd.
>
> Yes.
>
> Uncanny timing on your mail -- I just got it to work. httpd(8) needs the
> intermediate certificate to be at the *bottom* of the combined
> certificate, the opposite of what I'm used to.
Both nginx and apache do it like that...
-Otto
>
> To clarify for future readers: if you want to provide an intermediate
> certificate with OpenBSD httpd, your /etc/ssl/server.crt files should
> look like this:
>
> -----BEGIN CERTIFICATE-----
> <your cert>
> -----END CERTIFICATE-----
> -----BEGIN CERTIFICATE-----
> <intermediate cert>
> -----END CERTIFICATE-----
>
>
> > An explanation might be the documentation to the
> > SSL_CTX_use_certificate_chain_XXX functions used:
> >
> > The SSL_CTX_use_certificate_chain*() functions load a certificate
> > chain into ctx. The certificates must be in PEM format and must
> > be sorted starting with the subject's certificate (actual client
> > or server certificate), followed by intermediate CA certificates
> > if applicable, and ending at the highest level (root) CA. There
> > is no corresponding function working on a single SSL object.
>
> I (myopically) missed this.
>
> > Best regards
> > Robert
