Bug #2916

SSL Certificate vs SSL Issuer Chain input file

Added by Jesse Pepper about 8 years ago. Updated about 8 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:


Hi There,

I'm trying to get SSL working with Wt app, and have specified the ---ssl-certificate command line argument. My certificate issuer however has provided me with both a .crt certificate file and a .ca-bundle "issuer chain". As I understand it, the issuer chain contains a chain of trusted certificates from a known trusted certificate body, to my own, via some intermediaries.

I tried to specify the .ca-bundle file in the ---ssl-certificate argument but received the following error from Wt at startup:

Error (asio): use_private_key_file: key values mismatch

When I use the .crt file itself, it runs fine, and works fine in chrome and safari, but some installations of firefox on windows don't trust the certificate, and the detail they give is as follows: uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)

Is it possible to specify the certificate chain file for OpenSSL?

Apache allows the following 3 settings:

SSLCertificateFile /etc/ssl/crt/yourDOMAINNAME.crt 
SSLCertificateKeyFile /etc/ssl/crt/private.key 
SSLCertificateChainFile /etc/ssl/crt/ ***

The SSLCertificateChainFile doesn't seem to be an option in Wt. Is this an oversight? Is it something that is intended to support?

Also, just checking you're aware of this, and 1.01g is supported.

Also available in: Atom PDF