I have problems with a Verisign Global-ID certificate installed on a very old system. The Intermediate CA was installed according to the documentation on Verisign's website. The server's certificate is recognized only by Internet Explorer (tested versions 5.5 and 6). Other browsers do not recognize the certificate - they complain that the site's certificate is incomplete (tested Mozilla, Mozilla Firebird, Opera). Errors in the ssl_engine_log:
[error] SSL handshake failed (server xxx:443, client a.b.c.d) (OpenSSL library error follows) [error] OpenSSL: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca I think the problem is related to the intermediate certificate but I can't identify it. Entries in ssl_engine_log while starting Apache: [info] Server: Apache/1.3.9, Interface: mod_ssl/2.4.10, Library: OpenSSL/0.9.4 [info] Init: 1st startup round (still not detached) [info] Init: Initializing OpenSSL library [info] Init: Loading certificate & private key of SSL-aware server xxx:443 [trace] Init: (xxx:443) unencrypted RSA private key - pass phrase not required [info] Init: Generating temporary RSA private keys (512/1024 bits) [info] Init: Configuring temporary DH parameters (512/1024 bits) [info] Init: 2nd startup round (already detached) [info] Init: Reinitializing OpenSSL library [trace] Inter-Process Session Cache (DBM) Expiry: old: 0, new: 0, removed: 0 [info] Init: Seeding PRNG with 8 bytes of entropy [info] Init: Configuring temporary RSA private keys (512/1024 bits) [info] Init: Configuring temporary DH parameters (512/1024 bits) [info] Init: Initializing (virtual) servers for SSL [info] Init: Configuring server xxx:443 for SSL protocol [trace] Init: (xxx:443) Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1) [trace] Init: (xxx:443) Configuring RSA server certificate [info] Init: (xxx:443) RSA server certificate enables Server Gated Cryptography (SGC) [trace] Init: (xxx:443) Configuring RSA server private key [trace] Init: (xxx:443) Configuring server certificate chain (0 CA certificates) ^^^^^^^^^^^^^^^^^^^^ What does "0 CA certificate" mean? In httpd.conf I have: SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/server.key SSLCertificateChainFile /path/to/intermediate.crt Can someone help me? TIA. -- munca l-a facut pe om ... lenes. NEU FÜR ALLE - GMX MediaCenter - für Fotos, Musik, Dateien... Fotoalbum, File Sharing, MMS, Multimedia-Gruß, GMX FotoService Jetzt kostenlos anmelden unter http://www.gmx.net +++ GMX - die erste Adresse für Mail, Message, More! +++ ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]