SSL Certificate vs SSL Issuer Chain input file
I'm trying to get SSL working with Wt app, and have specified the ---ssl-certificate command line argument. My certificate issuer however has provided me with both a .crt certificate file and a .ca-bundle "issuer chain". As I understand it, the issuer chain contains a chain of trusted certificates from a known trusted certificate body, to my own, via some intermediaries.
I tried to specify the .ca-bundle file in the ---ssl-certificate argument but received the following error from Wt at startup:
Error (asio): use_private_key_file: key values mismatch
When I use the .crt file itself, it runs fine, and works fine in chrome and safari, but some installations of firefox on windows don't trust the certificate, and the detail they give is as follows:
www.perth.surgerylink.com.au uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)
Is it possible to specify the certificate chain file for OpenSSL?
Apache allows the following 3 settings:
SSLCertificateFile /etc/ssl/crt/yourDOMAINNAME.crt SSLCertificateKeyFile /etc/ssl/crt/private.key SSLCertificateChainFile /etc/ssl/crt/yourSERVERNAME.ca-bundle ***
The SSLCertificateChainFile doesn't seem to be an option in Wt. Is this an oversight? Is it something that is intended to support?
Also, just checking you're aware of this, and 1.01g is supported. http://www.pcworld.com/article/2140920/heartbleed-bug-in-openssl-puts-encrypted-communications-at-risk.html
Updated by Koen Deforche about 8 years ago
- Status changed from New to Feedback
- Assignee set to Koen Deforche
I am not an expert on this, but I would also think that the certificate and issuer certificate chain is to be considered together, and thus goes into one file.
Could you confirm that that does work for you?
Updated by Jesse Pepper about 8 years ago
Yes, sorry for the delayed response, I wanted to confirm a few colleagues that were having trouble now saw my site as trusted. Concatenating the files together seems to work just fine. In case anyone else is having this issue, you keep the entire contents of each file and just merge them. I put the main key first and then the chain.