Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo


Certificate Chain Issues

  • TimOberfoell


    I am trying to create a simple certification chain:

    RootCA <--> SubCA <--> Server-Certificate

    RootCA: selfsigned certificate created with xca
    SubCA: certificate signed with the RootCA certificate
    Server-Certificate: exportet in a *.pem file and signed by the SubCA

    I've exported the RootCA certificate in a *.crt file and imported it in my browser!
    The Server-certificate is used by webmin (SSL Encryption).

    If i try to open the webpage of webmin an dialog pops up. Firefox is not able to proof the validation of the submitted certificate.

    If i import the certificate of the SubCA in firefox everything works fine!
    So there must be a problem in the certificate chain.

    Any hints? If you need further information, just let me know.

    Best Regards,

    • As long as noone knows about the SubCA, there is a missing Link.
      So either you tell Firefox about it (and when you did, it worked suddenly)
      or you tell your webserver to not only provide the server certificate,
      but also send the SubCA certificate. This enables firfox to follow
      the chain from the server cert via the SubCA cert up to the RootCA.

      The apache2 option for this is "SSLCertificateChainFile"
      at "http://httpd.apache.org/docs/2.2/en/mod/mod_ssl.html"

      Other webservers have similar options