| Certificate chain in SSL server |
|
|
by Berl Steiner
posted on 2005/03/17 |
|
I have successfully compiled and run the SSL server with the test certificate and also one created using a third-party issuing authority (after converting their .crt file to .pfx with openssl). So far so good!
When I browse to the server the browser reports that the certificate is untrusted. This is, of course, correct but I need to resolve this. I have received two "higher-level" certificates from the issuer which I have not used so far. I guess I have to tell the server to send these along with my certificate to ensure the browser can verify the authority chain. But I've not been able to work out how to do this or if it is possible.
I would be grateful for a hint!
Thanks.
|
by Dmytro [ecode at programmer dot net]
posted on 2005/03/18 |
|
here is really cool project that gives out free certificates!
http://cert.startcom.org/
do you by any chance know how to attach private key to the certificate, because thats the only problem i can't figure out... |
by Berl Steiner
posted on 2005/03/19 |
|
But this still leaves me with the same problem, i.e. that the certificate is untrusted by the user's browser (which, in my case, I have no control over).
In response to you question I used the following openssl command to create a PFX from a PEM certificate and private key:
openssl pkcs12 -export -in cert.pem -inkey key.pem -out server.pfx -name "Test Certificate" |
by Berl Steiner
posted on 2005/03/21 |
|
I have since solved the problem: The intermediate certificates have to be concatenated into one file for the openssl command to work. The revised command is now:
openssl pkcs12 -export -chain -CAfile certecdb12.crt -in certecdb.crt -inkey key.pem -out server.pfx -name "ecdb"
The web server example then works perfectly.
Hope this posting helps others.
If I can get this working in the real app a donation will be on its way!!!
|
by Andrew Collins [andrew dot collins at sungard dot com]
posted on 2005/07/11 |
|
Hi, Berl. |
