Hello! On Fri, Nov 27, 2015 at 05:41:23PM +0100, Nicholas Wieland wrote:
> > On 27 Nov 2015, at 17:14, Maxim Dounin <[email protected]> wrote: [...] > > Make sure to properly configure certificate chains, see > > http://nginx.org/en/docs/http/configuring_https_servers.html#chains > > for details. > > I’m not entirely sure I understand why I need a certificate > chain. The .crt file is what the provider sent me, that’s what I > use. Should I “chain” the .crt file the provider sent me with > the RapidSSL bundle? This is for testing and development, I > don’t really care about performances, a slow solution is > perfectly fine Certificate chains are needed, because a typical certificate is issued by an intermediate CA, while browsers know only about root CAs. And a web server must supply intermediate CA certificate to a browser (or other client) for the browser to be able to verify that the certificate provided by the web server should be trusted. The link quoted explains how to properly put certs into a certificate file for things to work, and how to validate that the result is correct. Normally it's as easy as just concatenating your server's certificate and the bundle provided by your CA. But things may vary depending on CA - some CAs may provide incorrect bundles, or certs in a wrong order within the bundle, or there may be more than one bundle and you'll have to choose the right one. That is, it's a good idea to understand what you are doing and verify that the resulting chain returned by your server contains all needed certs in the correct order (see "openssl s_client ..." part of the link). -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
