Yes, I have a production system with a GSID working fine for at least 3
months. I've placed the intermediate certificate in a file with all the
client certificates, so I'm using SSLCACertificateFile instead of
SSLCACertificatePath. But they should work both ways... perhaps you forgot
hashing the certificates (ie. creating links to the certificates with the
cert fingerprint). I don't remember how you do it, but I'm sure you can
find it in the mod_ssl manual.
And yes, it works great (although the unoptimized renegotiation forces the
user to present the client cert twice when connecting for the first
time...., but that its about to change!)
Regards, Alfredo
Paul Rubin wrote:
> Simply dropping the intermediate cert into the directory pointed
> to by SSLCACertificatesPath doesn't seem to help. The browser acts
> like it's just received a the GSID itself which it treats as a valid
> cert signed by an unknown issuer, so I don't get the 128 bit step-up.
> ....
> Anyway I'm wondering, has anyone here gotten a real Verisign GlobalID
> (not a non-chained selfsigned one with a patched cert7.db file)
> to work with modssl? What did you do to install the intermediate cert?
> Is there some tool that combines the certs in a chain into one PEM file?
> Has the GSID been observed to work (i.e. to give 128 bit crypto and
> not cause disconnects) in both Netscape and MSIE browsers?
>
> Thanks very much for any advice.
>
> Paul
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
