On Thu, May 29, 2003, David Luyer wrote: > Hello, > > I'm having a problem trying to get a chained certificate to work with > uw-imapd. It works fine with apache-ssl and apache + mod_ssl. > On uw-imapd (which uses openssl) it fails as the CA certificate is > not presented (so the mail client gives a warning), or if I try and > present it OpenSSL rejects the key (and imapd completely fails). > > Basically I have: > > * The CA 'bundle' (certificate) -- 'bundle.pem' > * The certificate - 'wildcard.crt' > * The RSA private key - 'wildcard.key' > * The certificate + key together - 'wildcard.pem' > > Using apache-ssl I do: > > SSLCACertificateFile /etc/apache-ssl/bundle.pem > SSLCertificateFile /etc/apache-ssl/wildcard.pem > > Using mod-ssl I do: > > SSLCACertificateFile /etc/apache/bundle.pem > SSLCertificateFile /etc/apache/wildcard.crt > SSLCertificateKeyFile /etc/apache/wildcard.key > > uw-imapd does the following (ignoring support for per-IP certs): > > * by default: > > tmp=/etc/ssl/certs/imapd.pem > > SSL_CTX_use_certificate_chain_file (stream->context,tmp) > SSL_CTX_use_RSAPrivateKey_file (stream->context,tmp,SSL_FILETYPE_PEM) > > * on debian: > > tmpcrt=/etc/ssl/certs/imapd.pem > tmpkey=/etc/ssl/private/imapd.pem [if it exists, else use tmpcrt] > > SSL_CTX_use_certificate_chain_file (stream->context,tmpcrt) > SSL_CTX_use_RSAPrivateKey_file > (stream->context,tmpkey,SSL_FILETYPE_PEM) > > If I put the certificate from bundle.pem into the wildcard.pem, then the > SSL_CTX_use_RSAPrivateKey_file fails, even if I only put it into the > one used in the use_certificate_chain_file and not the one in the > use_RSAPrivateKey_file (by using the two separate files). > > The error is: > > SSL error status: error:0B080074:x509 certificate > routines:X509_check_private_key:key values misma > > What I expected/hoped to work was one of either: > > /etc/ssl/certs/imapd.pem: > -----BEGIN CERTIFICATE----- > (bundle.pem cert) > -----END CERTIFICATE----- > -----BEGIN CERTIFICATE----- > (wildcard.pem cert) > -----END CERTIFICATE----- > > /etc/ssl/private/imapd.pem: > -----BEGIN CERTIFICATE----- > (wildcard.pem cert) > -----END CERTIFICATE----- > -----BEGIN RSA PRIVATE KEY----- > (wildcard.pem key) > -----END RSA PRIVATE KEY----- > > OR > > /etc/ssl/certs: > -----BEGIN CERTIFICATE----- > (bundle.pem cert) > -----END CERTIFICATE----- > -----BEGIN CERTIFICATE----- > (wildcard.pem cert) > -----END CERTIFICATE----- > -----BEGIN RSA PRIVATE KEY----- > (wildcard.pem key) > -----END RSA PRIVATE KEY----- > > However, both of these fail as above. > > Am I going to have to modify the way uw-imapd uses OpenSSL to handle > the chained certificate, or am I putting the wrong thing in the PEM > files? >
If the application correctly uses a trusted certificate store (directory or file) then placing any intermediate CAs in it will automatically send them with the server certificate. So my guess is that the trusted certificate store isn't being accessed correctly. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
