The root CA certificate needs to be installed in the browser, have you done
that ?
It is not enough to put the root CA in the ca chain. The client must be able
to build
a certificate chain that ends in a locally trusted certificate (usually a
preinstalled root CA).
I believe the hint in the log file is simply the most likely cause, not the
actual
one in this case, which I guess would be (assuming you didn't install the
root ca and the names are correct)

- If you didn't put the root CA in the chain the client will be unable to
verify the signature on the intermediate CA certificate
- If you did put the root CA in the chain the client will end up with an
untrusted root CA certificate

Both of which would cause a bad certificate alert.

Hope this helps

Per Nilsson

Teleca Sweden East AB

eMail:  [EMAIL PROTECTED]

-----Original Message-----
From: Eleftheria Petraki [mailto:[EMAIL PROTECTED] 
Sent: den 13 juni 2005 16:09
To: openssl-users@openssl.org
Subject: Re: Certificate chain problem

> > Hi all,
> >
> > I have generated a self signed root certification authority and an 
> > intermediate certification authority signed by the root CA using 
> > openssl 0.9.7g. The intermediate CA signed an apache 1 with mod-ssl 
> > SSL server certificate. Both the root and intermediate PEM 
> > certificates are placed in the file ca.crt pointed by the directive
SSLCACertificateFile.
>
>How about putting the intermediate CA-certificate in the file ca.chain 
>and let the directive SSLCertificateChainFile point to it? 
>SSLCACertificateFile is IMHO only for accepted CAs for client 
>authentication (so no wonder the server does not accept the connection 
>request, your browser does not have an according client certificate).

Unfortunately it is not working. IE still cannot display the page and
Mozilla causes the following entry in error_log:
[Mon Jun 13 16:42:57 2005] [error] OpenSSL: error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN in
certificate not server name or identical to CA!?]

But CN is identical to server name and openssl verifies correctly the server
certificate. If both root and intermediate CA certificates are imported in
Mozilla the page is opened without problems. However the same thing does not
work in IE - the page cannot be displayed. I am realy confused.


>
> > I would greatly appreciate any help, since I can not find any 
> > solution for this.
>
>I hope it works as described above. Cheers,
>   Olaf
>
>--
>Dipl.Inform. Olaf Gellert                  PRESECURE (R)
>Senior Researcher,                       Consulting GmbH
>Phone: (+49) 0700 / PRESECURE           [EMAIL PROTECTED]
>
>                         A daily view on Internet Attacks
>                         https://www.ecsirt.net/sensornet
>

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to