Thawte SSL with 3 certificates

ajfisher nginx-forum at nginx.us
Tue Jun 7 03:59:47 MSD 2011


So after playing around with this further and using the openssl client
to see what is coming back it's still not working. For some reason the
chain hierarchy isn't coming through to the client. Even with openssl
client it can see there are three certificates but the one thing that
stands out for me is that there is a line in the response saying "No
client certificate CA names sent" which chimes with what I'm seeing on
the Chrome side which is that the certificate itself is valid but
there's no hierarchy that allows the certificate to become authorised.

Any ideas with this? I'm totally stumped - especially because I've dealt
with 2 certificate set ups before with absolutely no problems once I
realised I needed to concatenate them...

For what it's worth - this is the output of openssl client (obfuscated)

Cheers
ajfisher


CONNECTED(00000003)
depth=3 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Premium Server
CA/emailAddress=premium-server at thawte.com
verify return:1
depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c)
2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
verify return:1
depth=1 /C=US/O=Thawte, Inc./CN=Thawte SSL CA
verify return:1
depth=0 /C=AU/ST=Victoria/L=North Melbourne/O=My
Bizg/OU=Marketing/CN=my.domain.com
verify return:1
---
Certificate chain
 0 s:/C=AU/ST=Victoria/L=North Melbourne/O=My
Biz/OU=Marketing/CN=my.domain.com
   i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
 1 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Premium Server
CA/emailAddress=premium-server at thawte.com
 2 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
.. SNIP ..
-----END CERTIFICATE-----
subject=/C=AU/ST=Victoria/L=North Melbourne/O=My
Biz/OU=Marketing/CN=my.domain.com
issuer=/C=US/O=Thawte, Inc./CN=Thawte SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3687 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID:
87D1AEB1E1625530ACACB0E88458C0AB310A4C94A2DAA8E5F9F7C333747FBD2D
    Session-ID-ctx: 
    Master-Key: ... SNIP ...
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1307404193
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
read:errno=0

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,204035,204493#msg-204493




More information about the nginx mailing list