Thawte SSL with 3 certificates
Maxim Dounin
mdounin at mdounin.ru
Tue Jun 7 04:15:51 MSD 2011
Hello!
On Mon, Jun 06, 2011 at 07:59:47PM -0400, ajfisher wrote:
> So after playing around with this further and using the openssl client
> to see what is coming back it's still not working. For some reason the
> chain hierarchy isn't coming through to the client. Even with openssl
> client it can see there are three certificates but the one thing that
> stands out for me is that there is a line in the response saying "No
> client certificate CA names sent" which chimes with what I'm seeing on
The "No client certificate CA names sent" is normal unless you are
using ssl_verify_client.
[...]
> ---
> Certificate chain
> 0 s:/C=AU/ST=Victoria/L=North Melbourne/O=My
> Biz/OU=Marketing/CN=my.domain.com
> i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
> 1 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006
> thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
> i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
> cc/OU=Certification Services Division/CN=Thawte Premium Server
> CA/emailAddress=premium-server at thawte.com
> 2 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
> i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006
> thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
This is *wrong* order. It should be chain from your cert to one
signed by root cert, each cert should be followed by it's issuer
cert ("i:" should be followed immediatly with identical "s:").
I.e. in your case it should be
0 s:/C=AU/ST=Victoria/L=North Melbourne/O=My Biz/OU=Marketing/CN=my.domain.com
i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server at thawte.com
You should change order of last two certs in your ssl_certificate
file.
Maxim Dounin
More information about the nginx
mailing list