Welcome! Log In Create A New Profile

Advanced

Re: Thawte SSL with 3 certificates

Previous Message Next Message
Forum List Message List New Topic Print View
Maxim Dounin
June 06, 2011 08:16PM
Hello!

On Mon, Jun 06, 2011 at 07:59:47PM -0400, ajfisher wrote:

> So after playing around with this further and using the openssl client
> to see what is coming back it's still not working. For some reason the
> chain hierarchy isn't coming through to the client. Even with openssl
> client it can see there are three certificates but the one thing that
> stands out for me is that there is a line in the response saying "No
> client certificate CA names sent" which chimes with what I'm seeing on

The "No client certificate CA names sent" is normal unless you are
using ssl_verify_client.

[...]

> ---
> Certificate chain
> 0 s:/C=AU/ST=Victoria/L=North Melbourne/O=My
> Biz/OU=Marketing/CN=my.domain.com
> i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
> 1 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006
> thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
> i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
> cc/OU=Certification Services Division/CN=Thawte Premium Server
> CA/emailAddress=premium-server@thawte.com
> 2 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
> i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006
> thawte, Inc. - For authorized use only/CN=thawte Primary Root CA

This is *wrong* order. It should be chain from your cert to one
signed by root cert, each cert should be followed by it's issuer
cert ("i:" should be followed immediatly with identical "s:").
I.e. in your case it should be

0 s:/C=AU/ST=Victoria/L=North Melbourne/O=My Biz/OU=Marketing/CN=my.domain.com
i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

You should change order of last two certs in your ssl_certificate
file.

Maxim Dounin

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

Thawte SSL with 3 certificates

ajfisher June 05, 2011 03:12AM

Re: Thawte SSL with 3 certificates

Igor Sysoev June 05, 2011 03:32AM

Re: Thawte SSL with 3 certificates

ajfisher June 05, 2011 08:04AM

Re: Thawte SSL with 3 certificates

ajfisher June 06, 2011 07:59PM

Re: Thawte SSL with 3 certificates

Maxim Dounin June 06, 2011 08:16PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 251
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready