Re: [Pound Mailing List] pound and intermediate certificate

Wed, 10 Jun 2009 08:38:31 -0700

We don't use a CAlist directive in our Pound configuration. We only use the Cert directive, e.g.: 

        Cert    "/etc/sslcerts/wildcard-combined.pem"
We construct a single PEM file for the SSL certificate chain, which contains:
1. certificate for *.your.domain.tld (let's call that file _.your.domain.tld.crt) 2. RSA private key (passphrase-free) for the *.your.domain.tld certificate (let's call that file _.your.domain.tld.key) 3. certificate for the CA that signed *.your.domain.tld (typically DigiCertCA.crt) 

To construct this PEM file, you'll probably do something like this:
# cat _.your.domain.tld.crt _.your.domain.tld.key DigiCertCA.crt > wildcard-combined.pem 

On Jun 10, 2009, at 6:50 AM, Grzegorz Danecki wrote:


Hello!
I'm trying to switch to new wildcard certificate provided by DigiCert, but I 
have small issue:

http://www.digicert.com/help/index.htm says that

"This certificate is not trusted in all web browsers. You may need to
install an Intermediate/chain certificate to link it to a trusted root
certificate."

Certificate (with the intermediate cert.) is visible and recognized by
browsers on Windows (FF, IE, Safari), however same browsers on Mac OSX
(Safari, FF) claim that it is not signed by trusted CA.

Important parts of pound configuration are:

        Cert    "/etc/pound/host.pem"
        CAList  "/etc/pound/DigiCertCA.crt"

where host.pem contain:

-----BEGIN RSA PRIVATE KEY-----
(...my private key used to generate CSR)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(...certificate provided by DigiCert)
-----END CERTIFICATE-----

and ca-c contain:
-----BEGIN CERTIFICATE-----
(...)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(...)
-----END CERTIFICATE-----

So: root and intermediate certificate provided by DigiCert.
Whats more interesting:

openssl verify -CAfile DigiCertCA.crt host.pem
host.pem: OK

do you have any hints?

Thanks in advance

Grzegorz Danecki


--
To unsubscribe send an email with subject unsubscribe to [email protected] . 
Please contact [email protected] for questions.


Karl Ward
Hunter College ICIT
[email protected]





--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.

Reply via email to