: The certificate chain presented by the server should be sorted according to the TLS Specification: certificate_list This is a sequence (chain) of X.509v3 certificates. The sender's
The certificate chain presented by the server should be sorted according to the TLS Specification:
certificate_list
This is a sequence (chain) of X.509v3 certificates. The sender's
certificate must come first in the list. Each following
certificate must directly certify the one preceding it. Because
certificate validation requires that root keys be distributed
independently, the self-signed certificate that specifies the root
certificate authority may optionally be omitted from the chain,
under the assumption that the remote end must already possess it
in order to validate it in any case.
You can check the list that is presented using openssl s_client -connect your.host.name:443, for example. Taking github.com as an example, you should get something like this:
Certificate chain
0 s:/O=*.github.com/OU=Domain Control Validated/CN=*.github.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
The issuer of a certificate in the chain should be the subject of the next certificate.
The order presented by the server matches the order in which you've put the certificates in PEM format in the Apache Httpd configuration files.
Either you chain them all in the file referred to by SSLCertificateFile, or you only put your server certificate there and put the rest of the chain, in order, in a separate file referred to by SSLCertificateChainFile.
To check which PEM fragment (between --... BEGIN/END ...--), copy them in separate .pem file and check what your favourite PEM viewer says, or paste the fragment in the standard input of openssl x509 -text -noout.
More posts by @Yeniel560
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.