Thawte SSL with 3 certificates

Maxim Dounin mdounin at mdounin.ru
Tue Jun 7 04:15:51 MSD 2011 

Hello!

On Mon, Jun 06, 2011 at 07:59:47PM -0400, ajfisher wrote:

> So after playing around with this further and using the openssl client
> to see what is coming back it's still not working. For some reason the
> chain hierarchy isn't coming through to the client. Even with openssl
> client it can see there are three certificates but the one thing that
> stands out for me is that there is a line in the response saying "No
> client certificate CA names sent" which chimes with what I'm seeing on

The "No client certificate CA names sent" is normal unless you are 
using ssl_verify_client.

[...]

> ---
> Certificate chain
>  0 s:/C=AU/ST=Victoria/L=North Melbourne/O=My
> Biz/OU=Marketing/CN=my.domain.com
>    i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
>  1 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006
> thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
>    i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
> cc/OU=Certification Services Division/CN=Thawte Premium Server
> CA/emailAddress=premium-server at thawte.com
>  2 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
>    i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006
> thawte, Inc. - For authorized use only/CN=thawte Primary Root CA

This is *wrong* order.  It should be chain from your cert to one 
signed by root cert, each cert should be followed by it's issuer 
cert ("i:" should be followed immediatly with identical "s:").  
I.e. in your case it should be

0 s:/C=AU/ST=Victoria/L=North Melbourne/O=My Biz/OU=Marketing/CN=my.domain.com
  i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
  i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
  i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server at thawte.com

You should change order of last two certs in your ssl_certificate 
file.

Maxim Dounin

More information about the nginx mailing list