ssl for nginx, old browsers

Tue Oct 6 17:29:50 MSD 2009

On Tue, Oct 06, 2009 at 09:18:53AM -0400, eternity wrote:

> So, i made a bit progress
> I took chrome which doesn't ask for risk, and exported chain
> So, now, old version asks only once to add root CA and then it becomes silent
> Now the question - how to add one more element in chain so old browsers won't even ask for adding CA
> site: https://svpage.ru

openssl s_client -connect svpage.ru:443
...
---
Certificate chain
 0 s:/C=RU/postalCode=198411/ST=Some-State/L=Saint-Petersburg/streetAddress=Sankt-Peterburg, g. Lomonosov Svyazi, d. 1/O=CJS SV-Groupe/OU=CJS SV-Groupe/OU=Provided by Hosting-Center RBC/OU=RBC HC Gold SSL/CN=www.svpage.ru
   i:/C=RU/O=RBC Hosting Center/CN=RBC HC High Assurance Services CA
 1 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
   i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware

First, the ceritficate is for www.svpage.ru.
Second, the ceritficate is signed by RBC, however, RBC's ceritficate is
not signed: you have a broken chain:

    www.svpage.ru --- RBC -||- USERTRUST

-- 
Igor Sysoev
http://sysoev.ru/en/