Certificate Chain Issues

  • TimOberfoell

    TimOberfoell - 2008-03-07


    I am trying to create a simple certification chain:

    RootCA <--> SubCA <--> Server-Certificate

    RootCA: selfsigned certificate created with xca
    SubCA: certificate signed with the RootCA certificate
    Server-Certificate: exportet in a *.pem file and signed by the SubCA

    I've exported the RootCA certificate in a *.crt file and imported it in my browser!
    The Server-certificate is used by webmin (SSL Encryption).

    If i try to open the webpage of webmin an dialog pops up. Firefox is not able to proof the validation of the submitted certificate.

    If i import the certificate of the SubCA in firefox everything works fine!
    So there must be a problem in the certificate chain.

    Any hints? If you need further information, just let me know.

    Best Regards,

    • Christian Hohnstaedt

      As long as noone knows about the SubCA, there is a missing Link.
      So either you tell Firefox about it (and when you did, it worked suddenly)
      or you tell your webserver to not only provide the server certificate,
      but also send the SubCA certificate. This enables firfox to follow
      the chain from the server cert via the SubCA cert up to the RootCA.

      The apache2 option for this is "SSLCertificateChainFile"
      at "http://httpd.apache.org/docs/2.2/en/mod/mod_ssl.html"

      Other webservers have similar options


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.

No, thanks