SSL certificate chain

Steve Wilson lists-nginx at swsystem.co.uk
Mon Sep 2 11:12:52 UTC 2013


On 2013-09-02 11:59, Daniel Lundqvist wrote:
> I have, it just says only 1 certificate is provided. Here are the test
> results:
> https://www.ssllabs.com/ssltest/analyze.html?d=www.malarhojden.nu
...

I note that you're using startcom for the certificate, I recall that the 
intermediate certificate they say to use isn't actually the one provided 
and had to complete the certificate chain myself.

https://www.ssllabs.com/ssltest/analyze.html?d=www.stevewilson.co.uk

To build up my pem I started with the crt and key, then running "openssl 
x509 -in cert.pem -noout -text" I was then able to download the correct 
intermediate using the "CA Issuers - URI" provided in the certificate. 
Appending this to the pem and retesting. Repeating the process for each 
certificate until it became valid.

  Authority Information Access:
                 OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca
                 CA Issuers - 
URI:http://aia.startssl.com/certs/sub.class1.server.ca.crt

It might be worth checking if your intermediate matches the above 
sub.class1.server.ca.crt one.



More information about the nginx mailing list